FWIW, openldap HEAD now has a fix that eliminates the need for the ugly SSL_library_init() call I had in my "illustrative" patch.
Executive Summary: per apache doc Novell doesn't use per-connection client certs per apache doc WIN32 doesn't use per-connection client certs (unknown, maybe windows magic outside of httpd config) per apache doc, Moz/NS should be able to push a cert nickname per directory, AFAICT this is a no-go w/ the 2.2.3/trunk code because of the client_cert array not being managed correctly. per apache doc, openldap should be able to set client key/cert per directory, AFAICT this is unsupported in openldap until HEAD today. Confirmed by openldap committer on IRC this evening. I'll respin a patch that de-emphasizes "works with openldap alpha" and focuses more on making the "tls cert" doc and code sane. -- Eric Covener [EMAIL PROTECTED]