...
I'll also note that as recently as September of 2005 there was a security advisory regarding Apache when using this option.
Potential solution
One suggested solution for controlling what is displayed to the user when a certificate error occurs (if SSLVerifyClient:required is being used):
When the user clicks on the "use certificates" button, first refresh to a page that displays the page that you will want the user to see if an error occurs. Next attempt the authentication and redirection to the original page that the user wanted to access. If an error occurs then the dialog box will appear. When the user clicks it away, the intended error page should be present. If authentication is successful, the user will end up at the correct content.
If the network connection is slow or there are other latency issue, the user might be looking at the error page for quite a while before the authentication and redirection actually succeeds. But this can probably be made acceptable by careful wording and design of the error page.
Certainly at first glance, from a usability perspective using SSLVerifyClient:optional is a more attractive avenue. However as noted not all browsers support that option. There is also a rumor that browsers that don't support it can cause problems on the server side. We need to better understand these issues before a definitive plan of action can be agreed upon.
Other issues:
In order to proceed to pilot there are other tasks to complete, these include:
...