> So Geoff is saying, "you must try" and at the next line "you must also > succeed". With SSLVerifyClient optional, the semantics would be > instead "Don't bother to insist for a certificate", "but if user > forgot it, give him flaming death". Considered inappropriate :-)
i'm no expert here - I took the SSLRequire line from the test case on httpd-dev, while all the other tests use SSLVerifyClient so I kept it without really understanding things at all. http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=110685418427430&w=2 so, are you saying that can remove SSLVerifyClient here and all is ok? all I wanted was to exercise FakeBasicAuth + mod_auth_anon. --Geoff
