Comment 18 for bug 1833039

https://bz.apache.org/bugzilla/show_bug.cgi?id=62691#c5
"Moving "SSLVerifyClient require" outside of the <Location> block instantly returns the document. So it does appear to be ONLY the renegotiation case.
"

That works here too, in my simple test case. I had this location directive:
                <Location />
                        SSLVerifyClient require
                        Require ssl-verify-client
                </Location>

By moving SSLVerifyClient to the vhost level, i.e., the whole site requires it, then re-negotiation isn't triggered and access works without a timeout.