From 934cbf8d70d52a7819ae4af575f04bdf70cdcd0c Mon Sep 17 00:00:00 2001
From: Patrick Uiterwijk <puiterwijk@redhat.com>
Date: Fri, 11 Nov 2016 23:38:41 +0000
Subject: [PATCH] Fix koji client cert authentication with OpenSSL 1.1.0

Turns out that renegotiation is broken in OpenSSL 1.1.0, so we allow
clients to send their certificates (but not require them) from the
very first connection on, so that they don't have to renegotiate.

Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
---
 roles/koji_hub/templates/kojihub.conf.j2 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/koji_hub/templates/kojihub.conf.j2 b/roles/koji_hub/templates/kojihub.conf.j2
index 01e6f1bf31..f39ee34ee5 100644
--- a/roles/koji_hub/templates/kojihub.conf.j2
+++ b/roles/koji_hub/templates/kojihub.conf.j2
@@ -24,6 +24,7 @@ Alias /kojifiles "/mnt/koji/"
 </Directory>
 {% endif %}
 
+SSLVerifyClient optional
 <Location /kojihub/ssllogin>
          SSLVerifyClient require
          SSLVerifyDepth  10