Dear List, I'm trying to implement SSL-client certificate check for only some selected URLs, but some things do not work as expected: * Although "SSLVerifyClient none" for whole vhost and only " SSLVerifyClient require" for location "/test", Firefox on Linux will ask for the certificate on all URLs. If I understand correctly, expected behavior would be to trigger renegotiation only when location matches. * When dismissing the request in Firefox in Linux, the unprotected URLs are served while protected ones result in (Error code: ssl_error_handshake_failure_alert) although I would be nicer to to get a "Forbidden" served. But I could live with that also. * When supplying the certificate via Firefox , content is served as expected. * IE9 and Firefox on Windows always refuse to serve any page (SSL error) for both "/" and "/test" never asking to supply a client certificate. When connecting using OPENSSL or socat, results are different: * Content of / is served as expected * Access to "/test" without certificate returns "Forbidden" * Access to "/test" with certificate FAILS to return the protected content, although renegotiation is present: New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 4096 bit Secure Renegotiation IS supported Does someone known the magic combination of server-side SSL options to get this working with as many browsers and OSes as possible? I've searched for similar problems but failed to find real close hits. Many other users got location-based request for client-certificate working but had problems with something different afterwards. Roman PS: Config snipplet: SSLVerifyClient none SSLVerifyDepth 1 SSLCACertificateFile /etc/apache2/ssl/TestingCA.cert <Location /test/> # Changing this from none to require will make Firefox ask for client certificate on any URL, not only /test/.* SSLVerifyClient require # Does not work with/without it anyway SSLOptions +OptRenegotiate </Location> --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx