SSLVerifyClient optional - how should it work?

hi,

we try to configure http://blastwave.org apache2 so that it reads a
client certificate to get the user name. if the client does not give
it (i.e. refuses) apache should go on and send back the page anyway.
in this case the client can click on a login page and type in the
username/password. i tried to use "SSLVerifyClient optional", but
somehow i do not get where i am thinking wrong.


1. with client cert it works, wothout does not
SSLCACertificateFile = my.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLUserName SSL_CLIENT_S_DN_CN

result: client certificate gets read, user name is taken. but if the
person says "cancel" when asked for giving the client certificate, the
connection is not esablished:

[Fri Nov 09 17:14:23 2007] [debug] ssl_engine_io.c(1800): OpenSSL: I/O
error, 5 bytes expected to read on BIO#e94898 [mem: 1158978]
[Fri Nov 09 17:14:23 2007] [debug] ssl_engine_kernel.c(1789): OpenSSL:
Exit: error in SSLv3 read client certificate A
[Fri Nov 09 17:14:23 2007] [debug] ssl_engine_kernel.c(1789): OpenSSL:
Exit: error in SSLv3 read client certificate A
[Fri Nov 09 17:14:23 2007] [info] [client 169.63.210.195] (70014)End
of file found: SSL handshake interrupted by system [Hint: Stop button
pressed in browser?!]
[Fri Nov 09 17:14:23 2007] [info] [client 19.6.21.19] Connection
closed to child 1 with abortive shutdown (server myserver:443)


2. with client cert it does not work, wothout it does
#SSLCACertificateFile = my.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLUserName SSL_CLIENT_S_DN_CN

result: without certificate it works. with choosing a certificate in
the browser, apache does somehow not get it:

[Fri Nov 09 17:04:21 2007] [info] SSL Library Error: 336105650 error:
140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate
returned


what could we do to make the client cert really "optional"?

rupert.