The use case that it solves is the initial SSLSession can be established with both need and want client auth set to false, as the user navigates to a page that requires authentication the session is re-negotiated now with need client auth set to true so a certificate is requested from the client if available.