append "/ssllogin" to the hub URL when logging in via SSL, so we only need to require client certificates on that specific URL

hub/httpd.conf

@@ -16,9 +16,8 @@ Alias /kojihub "/usr/share/koji-hub/XMLRPC"
 </Directory>
 
 # uncomment this to enable authentication via SSL client certificates
-# <Location /kojihub>
+# <Location /kojihub/ssllogin>
+#         SSLVerifyClient require
+#         SSLVerifyDepth  10
 #         SSLOptions +StdEnvVars
 # </Location>
-# these options must be enabled globally (in ssl.conf)
-# SSLVerifyClient require
-# SSLVerifyDepth  10

koji/__init__.py

@@ -1620,7 +1620,8 @@ class ClientSession(object):
         certs['peer_ca_cert'] = serverca
 
         # 60 second timeout during login
-        self.proxy = ssl.XMLRPCServerProxy.PlgXMLRPCServerProxy(self.baseurl, certs, timeout=60, **self.proxyOpts)
+        # Append /login to the URL so we can only require client certs to be sent on login requests
+        self.proxy = ssl.XMLRPCServerProxy.PlgXMLRPCServerProxy(self.baseurl + '/ssllogin', certs, timeout=60, **self.proxyOpts)
         sinfo = self.callMethod('sslLogin', proxyuser)
         if not sinfo:
             raise AuthError, 'unable to obtain a session'

www/conf/kojiweb.conf

@@ -44,11 +44,10 @@ Alias /koji "/usr/share/koji-web/scripts/"
 
 # uncomment this to enable authentication via SSL client certificates
 # <Location /koji/login>
+#     SSLVerifyClient require
+#     SSLVerifyDepth  10
 #     SSLOptions +StdEnvVars
 # </Location>
-# these options must be enabled globally (in ssl.conf)
-# SSLVerifyClient require
-# SSLVerifyDepth  10
 
 Alias /koji-static/ "/usr/share/koji-web/static/"