diff -ur httpd-2.0.54/modules/ssl/ssl_engine_kernel.c httpd-new/modules/ssl/ssl_engine_kernel.c
--- httpd-2.0.54/modules/ssl/ssl_engine_kernel.c	2005-03-29 02:44:31.000000000 -0600
+++ httpd-new/modules/ssl/ssl_engine_kernel.c	2005-11-26 15:59:37.582155806 -0600
@@ -881,15 +881,23 @@
         return DECLINED;
     }
     
-    if (!sslconn->client_dn) {
+    clientdn = NULL;
+
+    if (dc->szUserName) {
+        char *val = ssl_var_lookup(r->pool, r->server, r->connection,
+                                   r, (char *)dc->szUserName);
+        if (val && val[0])
+	  clientdn = val;
+    }
+
+    if (!clientdn && !sslconn->client_dn) {
         X509_NAME *name = X509_get_subject_name(sslconn->client_cert);
         char *cp = X509_NAME_oneline(name, NULL, 0);
         sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
         modssl_free(cp);
+        clientdn = (char *)sslconn->client_dn;
     }
 
-    clientdn = (char *)sslconn->client_dn;
-
     /*
      * Fake a password - which one would be immaterial, as, it seems, an empty
      * password in the users file would match ALL incoming passwords, if only
Only in httpd-new/modules/ssl: ssl_engine_kernel.c~