Make client certificate requests optional.
This prevents things from always failing if the server requires a client
Note that the solution used to determine if a certificate request was
made for a given request is approximate; it is timestamp based and can
theoretically give a false positive. In practice, this is very unlikely,
since another cert request had to have happened around the same time,
AND the response must be a 401/403.
3 files changed