Issues created by the use of Apache's SslVerifyClient directive when using the optional parameter
The first three applications that have entered the MIT Touchstone pilot perform their own certificate validation independent of using MIT Touchstone. Each of the Apache servers associated with the applications (Stellar, Jira, and Confluence) have been configured with the SslVerifyClient directive set to optional. This has been done so that the application can gracefully present information to the customer if the user's browser does not present a certificate to the Apache web server. Many web applications at MIT do not configure SslVerifyClient as optional, many are configured to make this required.
When SslVerifyClient is set to required the user is presented with a very different experience when the browser does not present an appropriate certificate to the server. The web application developer looses control of the presentation to the user. Instead the browser assumes control and determines what is presented to the user.
In the case of IE7 the browser will normally display its own internal error page. Here is a typical example:
On the other hand, FireFox will put up a model message box with an error code. Here is a typical example:
In neither case is the user presented with meaningful information that helps to clearly understand what went wrong and what they should do next.