When using Apache as a proxy: ( brower --https--> Apache + mod_proxy --https--> Web server ) the Web server never receives the user's certificate info, because only the proxy is seen by the Web server. That means that all headers SSL_CLIENT_* contain the proxy certificate info, not the user certificate info.
Is there a way to get the user's certificate info ? Otherwise, I propose to add (at least) a header containing the client Distinguish Name (something like SSL_REMOTE_CLIENT_S_DN ?). This value should be passed without modification through all proxies. As the client could spoof it, we also need a parameter to explicitely state that we accept the given header; if not, we overwrite it. Does this sound reasonable ? Marc
