This configuration is not valid and can never work. You cannot match ssl verification error codes on a frontend where you don’t terminate SSL.
Take a look at the following thread to understand how you can use different error codes:
In short, you will have to ignore all errors during SSL handshake and make application level decisions based on the error codes.
The bind line with ssl needs to have:
verify optional crt-ignore-err all
And you will need to content switch:
# allow access if client certificate is provided + validated without errors
use_backend backend_http if { ssl_c_used } { ssl_c_verify 0 }
# allow access if client certificate is provided + validated, with expiration error
use_backend backend_http if { ssl_c_used } { ssl_c_verify 10 }
# use backend ssl_verification_error to return a SSL certification message
default_backend ssl_verification_error