Hey. I guess I've found a solution on my own, well at least a partial one. Here it is for those interested:
Don't set the "vhost-wide" SSLVerifyClient require directly in the
<VirtualHost> block, but either in a
<Location />
SSLVerifyClient require
</Location>
or (if this is enough, as all the content lies in the filesystem) a
<Directory /vhost/documentRootPath/>
SSLVerifyClient require
</Directory>
block.
Now it's possible to have single directories for which this is
selectively disabled, e.g.
<Directory /vhost/documentRootPath/public>
SSLVerifyClient none
</Directory>
And it seems that no client certificate is requested, when a client
directly ("at first) accesses something
below /vhost/documentRootPath/public .
In all other cases, when a connection is opened a renegotiation will be
enforced "immediately".
Not sure what this means for authentication, though. The docs say the
request itself is before the renegotiation but the response already
afterwards.
If SSL is enforced (SSLRequireSSL), then it should IMHO be technically
possible to even have the first request (that was pre-renegotiation)
authenticated (i.e. the user is verified for it).
The server caches it and if then a client certificate is presented, it
could now, that even the first request was by the user with the DN
"foobar".
But I don't know whether Apache really does this.
Is there anybody who could confirm, that this (authentication) would be
secure even for the request part (of the first request) before the
renegotiation?
Thanks,
Chris.
smime.p7s
Description: S/MIME cryptographic signature
