From d726f4da547e943216bb6ba8b79d51fc015e03e1 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@codeaurora.org>
Date: Tue, 4 Dec 2018 00:15:04 +0200
Subject: [PATCH] HS 2.0 server: Document client certificate related Apache
 configuration

Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
---
 hs20/server/hs20-osu-server.txt | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hs20/server/hs20-osu-server.txt b/hs20/server/hs20-osu-server.txt
index 70f13135e..22478ad9d 100644
--- a/hs20/server/hs20-osu-server.txt
+++ b/hs20/server/hs20-osu-server.txt
@@ -228,12 +228,17 @@ Add following block just before "SSL Engine Switch" line":
                 Options Indexes MultiViews FollowSymLinks
                 AllowOverride None
 		Require all granted
+		SSLOptions +StdEnvVars
         </Directory>
 
 Update SSL configuration to use the OSU server certificate/key.
 They keys and certs are called 'server.key' and 'server.pem' from
 ca/setup.sh.
 
+To support subscription remediation using client certificates, set
+"SSLVerifyClient optional" and configure the trust root CA(s) for the
+client certificates with SSLCACertificateFile.
+
 Enable default-ssl site and restart Apache2:
   sudo a2ensite default-ssl
   sudo a2enmod ssl