Right now when you use SSLVerifyClient optional_no_ca, and the client presents a certificate that is either not ready, expired, or revoked then the handshake fails and the connection is cut. Most of the time it's not really clear to the client why that happened. I'd like to have a debug sort of option where when one of those problems are encountered, rather than cutting the connection it would continue to serve the request but the SSL_CLIENT_VERIFY would of course be FAILED.
I'd like to work on a patch that would accomplish this and wanted to see if it would be considered acceptable to simply expand the optional_no_ca option to skip these extra errors (perhaps renaming it?), or if I should add another option to SSLVerifyClient.
