it looks like there is a problem using jboss against apache.
I have now updated apache and i can use SSLSocketFactory width client certificate without using the system property sun.security.ssl.allowUnsafeRenegotiation=true.
but when i use a bindingprovider in jboss in a servlet i get "Re-negotiation handshake failed: Not accepted by client" in the apache log.
so either the problem is in jboss or in apache.