There is no difference in the CertificateRequest message sent by the server when the certificate is simply requested and not required. The server makes the same request in both cases and simply stops shaking hands when the client cannot provide the required certificate. Thus, if your browser seems to be ignoring "requests", it should also ignore "requirements."
Check the following:
- Your browser is configured to ignore all certificate requests, never sending one?
- Your browser is configured to use this certificate without prompting User? (In other words, how do you know that the browser does not send the certificate?)
- Does your server really request a certificate?
The way I test this last case is OpenSSL (also available in Cygwin ):
openssl s_client -connect server.y.com:443 -msg
After the server sends its certificate message, it will add the CertificateRequest method, which is absent if it does not request client authentication. The output of s_client is as follows:
<<< TLS 1.0 Handshake [length 0008], CertificateRequest 0d 00 00 04 01 01 00 00
I'm not sure how this works if the server uses client authentication only on certain paths, as the initial SSL confirmation is completed before the client sends the HTTP request. It would be wise if the server requested a new handshake at this point, but I never tested to see which servers support this.
You can fake an HTTP request through s_client manually by typing:
GET /your/path/here HTTP/1.1[Enter] Host: server.y.com:443[Enter] [Enter]
If you never see the CertificateRequest message, your server is configured incorrectly.
Specifying directory-based security restrictions is fairly common and may actually simplify security administration. Do not be offended if this offers you a solution.
403.7 is not an HTTP status code. Is Microsoft "embracing, expanding and quenching" the trick? In any case, this does not seem to be in the right direction, since it is a transport layer problem, not an application layer problem.