Can I get any +1s? Explanation is in the commit message.
commit 934cbf8d70d52a7819ae4af575f04bdf70cdcd0c
Author: Patrick Uiterwijk <puiterwijk(a)redhat.com>
Date: Fri Nov 11 23:38:41 2016 +0000
Fix koji client cert authentication with OpenSSL 1.1.0
Turns out that renegotiation is broken in OpenSSL 1.1.0, so we allow
clients to send their certificates (but not require them) from the
very first connection on, so that they don't have to renegotiate.
Signed-off-by: Patrick Uiterwijk <puiterwijk(a)redhat.com>
diff --git a/roles/koji_hub/templates/kojihub.conf.j2
b/roles/koji_hub/templates/kojihub.conf.j2
index 01e6f1b..f39ee34 100644
--- a/roles/koji_hub/templates/kojihub.conf.j2
+++ b/roles/koji_hub/templates/kojihub.conf.j2
@@ -24,6 +24,7 @@ Alias /kojifiles "/mnt/koji/"
</Directory>
{% endif %}
+SSLVerifyClient optional
<Location /kojihub/ssllogin>
SSLVerifyClient require
SSLVerifyDepth 10