A subtle security bug (CAN-2005-2700) was discovered in mod_ssl where where "SSLVerifyClient require" was not enforced in per-location context if "SSLVerifyClient optional" was configured in the global virtual host configuration. This bug is now fixed in mod_ssl 2.8.24 for Apache 1.3.33. Get it from:
o http://www.modssl.org/source/ o ftp://ftp.modssl.org/source/ Ralf S. Engelschall [EMAIL PROTECTED] www.engelschall.com ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]