...
All known versions of Apache with mod_ssl have support for the SSLVerifyClient optional_no_ca setting to turn off certificate evaluation. However, even with this option, the depth of the certificate chain presented by the client is still wrongly evaluated in some strange fashion. Therefore, disabling verification must be accompanied by a high setting for SSLVerifyDepth.It also appears that key usage extensions and certificate expiration may be enforced by mod_ssl in some cases, particularly older versions
In addition, newer versions of Apache + mod_ssl, specifically including 2.2.x, will accept expired client certificates from an SP only if they are not self-signed. Essentially they ignore the intent behind the "no_ca" notion, and construct a path, and if the root of the path is expired, it fails, even though the root is not actually trusted. With a self-signed certificate, the root is the certificate itself, thus an expired certificate fails. The solution to this is to ensure that self-signed certificates are long-lived and renew them as needed.