SSLEngine on
	SSLCertificateFile 		/xxx/server.pem
	SSLCertificateKeyFile		/xxx/server.key

	# Chain for the server - not for client verification (though in this simple
	# case they _happen_ to be the same!).
	SSLCACertificateChainFile 	/xxx/root.pem

	SSLVerifyClient none
	SSLVerifyDepth 3

	Alias /trac/ "/xxx/trac/"
	<Directory "/xxx/trac">
		Options Indexes FollowSymLinks
		AllowOverride None
		Order allow,deny
		Allow from all

		# Insist on a valid SSL certificate, issued by
		# *any* of our CA's.
		SSLCACertificateFile  /xxx/root.pem
		SSLVerifyClient require

		SSLOptions StdEnvVars ExportCertData FakeBasicAuth

		# SSLRequireSSL SSLRequire %{SSL_CLIENT_S_DN_O} eq "My Org" and ....

		# mod_python speeds things up considerably
		SetHandler mod_python
		PythonHandler trac.web.modpython_frontend
		PythonOption TracEnvParentDir "/var/trac"
		PythonOption TracUriRoot "/trac"

		# Fake up authentication so that trac thinks we're doing
		# basic auth.
		#
		AuthType Basic
		AuthName "my track"

		# We're to lazy to create a 'htpasswd' file as generally
		# done with FakeBasicAuth - hence we use anon to allow
		# any valid cert in. Trac will do the right thing.
		#
		AuthBasicProvider anon
		Anonymous "*"	
   		Require valid-user

   		# further authorization is handled internally by trac
	</Directory>


	<Location "/svn">
		DAV svn
		SVNParentPath /xxx/svn

		SSLCACertificateFile  /xxx/root.pem
		SSLVerifyClient require

		# SSLRequire %{SSL_CLIENT_S_DN_O} eq "My Org..."

		# Pull authentication information in as to allow svn to use the CN in its logs.
		#
		SSLOptions StdEnvVars ExportCertData FakeBasicAuth
		AuthType Basic
		AuthName "my  svn"

		# We do not want to keep an htaccess list with the DN's - so we let anyone
		# authenticated in
		AuthBasicProvider anon
		Anonymous "*"	
   		Require valid-user
	</Location>