--- modules/ssl/ssl_private.h.orig 2016-01-07 14:54:51.000000000 -0800 +++ modules/ssl/ssl_private.h 2016-01-07 15:53:23.000000000 -0800 @@ -291,6 +291,7 @@ #define SSL_OPT_STRICTREQUIRE (1<<5) #define SSL_OPT_OPTRENEGOTIATE (1<<6) #define SSL_OPT_LEGACYDNFORMAT (1<<7) +#define SSL_OPT_LEGACYCHAINVERIFY (1<<8) typedef int ssl_opt_t; /** --- modules/ssl/ssl_engine_config.c.orig 2016-01-07 14:54:51.000000000 -0800 +++ modules/ssl/ssl_engine_config.c 2016-01-07 15:54:34.000000000 -0800 @@ -1241,6 +1260,9 @@ else if (strcEQ(w, "LegacyDNStringFormat")) { opt = SSL_OPT_LEGACYDNFORMAT; } + else if (strcEQ(w, "LegacyCertChainVerify")) { + opt = SSL_OPT_LEGACYCHAINVERIFY; + } else { return apr_pstrcat(cmd->pool, "SSLOptions: Illegal option '", w, "'", --- modules/ssl/ssl_engine_kernel.c.orig 2015-11-19 11:55:25.000000000 -0800 +++ modules/ssl/ssl_engine_kernel.c 2016-02-17 08:27:30.000000000 -0800 @@ -1583,6 +1584,32 @@ */ return TRUE; } + /* + * Allow relaxed checking of cert chains wrt to the key usage of the CA certs + */ + if (!ok && (errnum == X509_V_ERR_INVALID_PURPOSE) && + (dc && (dc->nOptions & SSL_OPT_LEGACYCHAINVERIFY))) + { + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn, APLOGNO(76433) + "Certificate Verification: the LegacyCertChainVerify option is set," + " X509_V_ERR_INVALID_PURPOSE(26) error ignored."); + X509_STORE_CTX_set_error(ctx, X509_V_OK); + ok = TRUE; + } + /* + * Apply relaxed checking to signature + */ + if (!ok && (errnum == X509_V_ERR_CERT_SIGNATURE_FAILURE) && + (dc && (dc->nOptions & SSL_OPT_LEGACYCHAINVERIFY))) + { + ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn, APLOGNO(76433) + "Certificate Verification: the LegacyCertChainVerify option is set," + " X509_V_ERR_CERT_SIGNATURE_FAILURE(7) error ignored."); + X509_STORE_CTX_set_error(ctx, X509_V_OK); + ok = TRUE; + } + + if (ssl_verify_error_is_optional(errnum) && (verify == SSL_CVERIFY_OPTIONAL_NO_CA))