The first fix is to retrieve the full certificate subject instead of just the
CN for FakeBasicAuth and prefix it with / to be compatible with OpenSSL.

The second always attempts to retrieve the client certificate in
nss_hook_ReadReq().

https://bugzilla.redhat.com/show_bug.cgi?id=702437
--- mod_nss-1.0.8.orig/nss_engine_io.c	2011-05-10 15:45:49.000000000 -0400
+++ mod_nss-1.0.8.orig/nss_engine_io.c	2011-05-11 15:21:30.000000000 -0400
@@ -1364,13 +1364,9 @@ nss_AuthCertificate(void *arg, PRFileDes
 
     status = SSL_AuthCertificate(arg, socket, checksig, isServer);
 
-    if (status == SECSuccess) {
-        conn_rec *c = filter_ctx->c;
-        SSLConnRec *sslconn = myConnConfig(c);
-
-        sslconn->client_cert = SSL_PeerCertificate(socket);
-        sslconn->client_dn = NULL;
-    }
+    /* The certificate is copied to sslconn->client_cert in
+     * nss_hook_ReadReq()
+     */
 
     return status;
 }
--- mod_nss-1.0.8.orig/nss_engine_kernel.c	2007-05-31 17:36:03.000000000 -0400
+++ mod_nss-1.0.8.orig/nss_engine_kernel.c	2011-05-11 15:30:38.000000000 -0400
@@ -84,6 +84,11 @@ int nss_hook_ReadReq(request_rec *r)
                      nss_util_vhostid(r->pool, r->server));
     }
 
+    if (sslconn->client_cert != NULL)
+        CERT_DestroyCertificate(sslconn->client_cert);
+    sslconn->client_cert = SSL_PeerCertificate(ssl);
+    sslconn->client_dn = NULL;
+
     return DECLINED;
 }
 
@@ -626,8 +631,8 @@ int nss_hook_UserCheck(request_rec *r)
     }
 
     if (!sslconn->client_dn) {
-        char * cp = CERT_GetCommonName(&sslconn->client_cert->subject);
-        sslconn->client_dn = apr_pstrdup(r->connection->pool, cp);
+        char * cp = CERT_NameToAscii(&sslconn->client_cert->subject);
+        sslconn->client_dn = apr_pstrcat(r->connection->pool, "/", cp, NULL);
         PORT_Free(cp);
     }