如何配置 Apache 以接受具有 TLS v1.2 的過期客戶端證書？ (How configure Apache to accept expired client certificate with TLS v1.2?)

問題描述

如何配置 Apache 以接受具有 TLS v1.2 的過期客戶端證書？ (How configure Apache to accept expired client certificate with TLS v1.2?)

MacOS Server 5.7.1：我有很多 Mdm 身份設備證書過期的設備的問題（對於 5.7.1 之前的 macOS Server 的一個錯誤，沒有更新它們）

目前遠程設備無法連接到服務器，因為 TLS 1.2 協議檢查客戶端證書的到期日期。但是要發送新證書，連接應該完成，否則我們必須重新初始化每個應該遠程控制的 iPad。

你知道有沒有辦法讓 OS X Apache 接受它？

<Location "/devicemanagement/mdm/mdm_connect">
 SSLRequireSSL
 SSLVerifyClient require
 SSLVerifyDepth 2
 SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate +LegacyCertChainVerify
 SSLRenegBufferSize 2097152
 RequestHeader set X‑PM‑REMOTE_ADDR          "%{REMOTE_ADDR}s"
 RequestHeader set X‑PM‑SSL_CLIENT_V_REMAIN  "%{SSL_CLIENT_V_REMAIN}s"
 RequestHeader set X‑PM‑SSL_CLIENT_S_DN_CN   "%{SSL_CLIENT_S_DN_CN}s"
 RequestHeader set X‑PM‑SSL_CLIENT_VERIFY    "%{SSL_CLIENT_VERIFY}s"
 ProxyPass unix:/Library/Server/ProfileManager/Config/var/dmhttpd.sock|http://dmhttpd/devicemanagement/secure/mdm_connect
</Location>

參考解法

方法 1:

You have configured device checkin url to mandatory very certificate. If device certificates are expired you can configure it as

SSLVerifyClient optional

And perform all the validation tasks in your servlets .

(by Umberto Migliore、Srikanth Gopalakrishnan)

參考文件

1. How configure Apache to accept expired client certificate with TLS v1.2? (CC BY‑SA 2.5/3.0/4.0)