From: Jouni Malinen <jouni@codeaurora.org>
Date: Mon, 3 Dec 2018 22:15:04 +0000 (+0200)
Subject: HS 2.0 server: Document client certificate related Apache configuration
X-Git-Tag: hostap_2_8~825
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d726f4da547e943216bb6ba8b79d51fc015e03e1;p=thirdparty%2Fhostap.git

HS 2.0 server: Document client certificate related Apache configuration

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---

diff --git a/hs20/server/hs20-osu-server.txt b/hs20/server/hs20-osu-server.txt
index 70f13135e..22478ad9d 100644
--- a/hs20/server/hs20-osu-server.txt
+++ b/hs20/server/hs20-osu-server.txt
@@ -228,12 +228,17 @@ Add following block just before "SSL Engine Switch" line":
                 Options Indexes MultiViews FollowSymLinks
                 AllowOverride None
 		Require all granted
+		SSLOptions +StdEnvVars
         </Directory>
 
 Update SSL configuration to use the OSU server certificate/key.
 They keys and certs are called 'server.key' and 'server.pem' from
 ca/setup.sh.
 
+To support subscription remediation using client certificates, set
+"SSLVerifyClient optional" and configure the trust root CA(s) for the
+client certificates with SSLCACertificateFile.
+
 Enable default-ssl site and restart Apache2:
   sudo a2ensite default-ssl
   sudo a2enmod ssl