Index: java/org/apache/coyote/http11/Http11AprProcessor.java
===================================================================
--- java/org/apache/coyote/http11/Http11AprProcessor.java	(revision 773554)
+++ java/org/apache/coyote/http11/Http11AprProcessor.java	(working copy)
@@ -1174,6 +1174,10 @@
                 ((BufferedInputFilter) inputFilters[Constants.BUFFERED_FILTER]).setLimit(maxSavePostSize);
                 inputBuffer.addActiveFilter(inputFilters[Constants.BUFFERED_FILTER]);
                 try {
+                    // If no client certificate was being asked, ask now
+                    if ("none".equals(endpoint.getSSLVerifyClient())) {
+                        endpoint.setSSLVerifyClient("optionalNoCA");
+                    }
                     // Renegociate certificates
                     SSLSocket.renegotiate(socket);
                     // Get client certificate and the certificate chain if present
Index: java/org/apache/tomcat/util/net/AprEndpoint.java
===================================================================
--- java/org/apache/tomcat/util/net/AprEndpoint.java	(revision 773554)
+++ java/org/apache/tomcat/util/net/AprEndpoint.java	(working copy)
@@ -487,9 +487,15 @@
      */
     protected String SSLVerifyClient = "none";
     public String getSSLVerifyClient() { return SSLVerifyClient; }
-    public void setSSLVerifyClient(String SSLVerifyClient) { this.SSLVerifyClient = SSLVerifyClient; }
+    public void setSSLVerifyClient(String SSLVerifyClient) {
+        this.SSLVerifyClient = SSLVerifyClient;
 
+        if (initialized) {
+            initCertValidation();
+        }
+    }
 
+
     /**
      * SSL verify depth.
      */
@@ -702,7 +708,20 @@
             // Set revocation
             SSLContext.setCARevocation(sslContext, SSLCARevocationFile, SSLCARevocationPath);
             // Client certificate verification
-            value = SSL.SSL_CVERIFY_NONE;
+            initCertValidation();
+            // For now, sendfile is not supported with SSL
+            useSendfile = false;
+        }
+
+        initialized = true;
+
+    }
+
+    /**
+     * Client certificate verification.
+     */
+    private void initCertValidation() {
+        int value = SSL.SSL_CVERIFY_NONE;
             if ("optional".equalsIgnoreCase(SSLVerifyClient)) {
                 value = SSL.SSL_CVERIFY_OPTIONAL;
             } else if ("require".equalsIgnoreCase(SSLVerifyClient)) {
@@ -711,15 +730,8 @@
                 value = SSL.SSL_CVERIFY_OPTIONAL_NO_CA;
             }
             SSLContext.setVerify(sslContext, value, SSLVerifyDepth);
-            // For now, sendfile is not supported with SSL
-            useSendfile = false;
         }
 
-        initialized = true;
-
-    }
-
-
     /**
      * Start the APR endpoint, creating acceptor, poller and sendfile threads.
      */