On Wed, Nov 23, 2016 at 1:30 PM, Helmut K. C. Tessarek <[email protected]> wrote: > > Why would there be a need for renegotiation? In my scenario SSL is > always used. > If the client has a cert installed, the cert should be used. Otherwise > the standard/basic auth should be used (still over SSL).
In your desired config, the initial handshake happens with SSLVerifyClient=none, so no client certificate is requested so none can be sent by the client. The initial handshake completes, then a HTTP request is received that maps to /dir Now Apache has to honor your <Directory> section, and a change to SSLVerifyClient from none to optional requires a new handshake to request a client certificate.
