2(?) buglets in modssl 2.8.10

Redhat Linux, Apache 1.3.26 + modssl-2.8.10

I'm using client certs to authenticate users onto a Reverse Proxy - which
gateways through to backend Web servers.

I've experienced bugs with the pre-2.8.10 release with FakeBasicAuth and so
was keen to see if they were fixed in 2.8.10 (i.e the directory listing bug).

That bug is fixed (yeah!) but another 2(?) are introduced.

1> FakeBasicAuth

Namely the "faked" Basic authentication details are added to the the HTTP
stream, and now that flows back through mod_proxy onto the backend Web
servers - meaning that you can't use Basic authentication on them anymore :-(

I guess that was the fix? Adding these fake Basic auth headers to the stream
makes Apache happy to allow directory listings when it wasn't before - but
other modules such as mod_proxy also get it...

Is there any other way of doing it?

2> Logging

Currently I have the following:

CustomLog /log/access_log trimble
#Override the CustomLog setting for valid SSL Client Certs
CustomLog /log/access_log trimble-ssl env=SSL_CLIENT_S_DN_Email

From what I can descern from the Apache documentation, that should mean that
non SSL-client connections get logged according to the "trimble" LogFormat,
whereas SSL-client connections get logged according to the "trimble-ssl".
However, I get TWO log entries for SSL-client connections - it's like it
isn't overriding - it's appending...

Any ideas?

Thanks

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org