On 2016-11-23 13:43, Eric Covener wrote: > In your desired config, the initial handshake happens with > SSLVerifyClient=none, so no client certificate is requested so none > can be sent by the client. > The initial handshake completes, then a HTTP request is received that > maps to /dir > Now Apache has to honor your <Directory> section, and a change to > SSLVerifyClient from none to optional requires a new handshake to > request a client certificate.
I see, thank you for the explanation. It still does not explain why it doesn't work though. It should, right? At least according to the documentation. But you also mentioned that this scenario won't work with TLS 1.3. Does this mean you can only have either an auth schema (user/password auth) or a client cert with TLS 1.3, but not both at the same time? Since when is functionality removed in new protocols? Cheers, K. C. -- regards Helmut K. C. Tessarek lookup http://pool.sks-keyservers.net for KeyID 0xC11F128D /* Thou shalt not follow the NULL pointer for chaos and madness await thee at its end. */
