Once upon a time Nathan Friess shaped the electrons to say... > AFAIK, this situation isn't implemented yet for 2.x. Currently, the server > just returns a 'forbidden' response. There's a long comment in > modules/ssl/ssl_engine_kernel.c which explains it all. I'm running some > scripts which accept data from posts, and I'd like to be able to use them > over https where the clients use certificates to authenticate. A > renegotiation is required when the certificate must be presented for only > certain URLs. Since I made the changes -- at least for my own use -- I > thought I'd see if they make sense and could be actually used for the > mainstream sources. By the way, I noticed that there is less of a problem > with clients running Mozilla, since Mozilla seems to send the certificate > without asking. IE first tries without the certificate, and then > renegotiates.
This is a problem which I've run into as well. Our "workaround" was to create another virtual server to which our customers would send POST requests with certificates to explicitly. This is still a problem for people using SSL toolkits instead of browsers too. I'd love to see this fix go in for 1.3.x and 2.x -D -- The things you own end up owning you.