A new mod_ssl issue reported upstream this week; if "SSLVerifyClient optional" has been configured at the vhost context then "SSLVerifyClient require" is not enforced in a location context within that vhost; effectively allowing clients to bypass client-cert authentication checks. Affects: all 2.0.x releases <= 2.0.54, and I believe also all mod_ssl-for-1.3 releases (by code review only, I haven't confirmed that yet)
Created attachment 67407 [details, diff] CAN-2005-2700.diff
Public followup on bug 104807 *** This bug has been marked as a duplicate of 104807 ***