diff -Nurp httpd-2.2.6/modules/ssl/ssl_engine_config.c apache2-2.2.6/modules/ssl/ssl_engine_config.c --- httpd-2.2.6/modules/ssl/ssl_engine_config.c 2006-07-23 13:11:58.000000000 +0200 +++ apache2-2.2.6/modules/ssl/ssl_engine_config.c 2007-10-31 16:25:44.214838500 +0100 @@ -1130,6 +1130,9 @@ const char *ssl_cmd_SSLOptions(cmd_parms else if (strcEQ(w, "OptRenegotiate")) { opt = SSL_OPT_OPTRENEGOTIATE; } + else if (strcEQ(w, "NoClientVerifyEnvVars")) { + opt = SSL_OPT_NOCLIENTVERIFYENVVAR; + } else { return apr_pstrcat(cmd->pool, "SSLOptions: Illegal option '", w, "'", diff -Nurp httpd-2.2.6/modules/ssl/ssl_engine_kernel.c apache2-2.2.6/modules/ssl/ssl_engine_kernel.c --- httpd-2.2.6/modules/ssl/ssl_engine_kernel.c 2006-07-12 05:38:44.000000000 +0200 +++ apache2-2.2.6/modules/ssl/ssl_engine_kernel.c 2007-10-31 16:25:17.429164500 +0100 @@ -1022,7 +1022,13 @@ int ssl_hook_Fixup(request_rec *r) if (dc->nOptions & SSL_OPT_STDENVVARS) { for (i = 0; ssl_hook_Fixup_vars[i]; i++) { var = (char *)ssl_hook_Fixup_vars[i]; - val = ssl_var_lookup(r->pool, r->server, r->connection, r, var); + + /* If option NoVerifyClientEnvVars defined, skip the SSL_CLIENT_VERIFY environment variable */ + if (!(strEQ(var, "SSL_CLIENT_VERIFY") && (dc->nOptions & SSL_OPT_NOCLIENTVERIFYENVVAR))) { + val = ssl_var_lookup(r->pool, r->server, r->connection, r, var); + } else { + val = NULL; + } if (!strIsEmpty(val)) { apr_table_setn(env, var, val); } diff -Nurp httpd-2.2.6/modules/ssl/ssl_private.h apache2-2.2.6/modules/ssl/ssl_private.h --- httpd-2.2.6/modules/ssl/ssl_private.h 2006-07-23 13:11:58.000000000 +0200 +++ apache2-2.2.6/modules/ssl/ssl_private.h 2007-10-31 16:25:56.519607500 +0100 @@ -199,6 +199,7 @@ typedef int ssl_algo_t; #define SSL_OPT_FAKEBASICAUTH (1<<4) #define SSL_OPT_STRICTREQUIRE (1<<5) #define SSL_OPT_OPTRENEGOTIATE (1<<6) +#define SSL_OPT_NOCLIENTVERIFYENVVAR (1<<7) #define SSL_OPT_ALL (SSL_OPT_STDENVVARS|SSL_OPT_EXPORTCERTDATA|SSL_OPT_FAKEBASICAUTH|SSL_OPT_STRICTREQUIRE|SSL_OPT_OPTRENEGOTIATE) typedef int ssl_opt_t;