diff --git a/hub/httpd.conf b/hub/httpd.conf
index 5a5f01e0..3e9d8e81 100644
--- a/hub/httpd.conf
+++ b/hub/httpd.conf
@@ -16,9 +16,8 @@ Alias /kojihub "/usr/share/koji-hub/XMLRPC"
 </Directory>
 
 # uncomment this to enable authentication via SSL client certificates
-# <Location /kojihub>
+# <Location /kojihub/ssllogin>
+#         SSLVerifyClient require
+#         SSLVerifyDepth  10
 #         SSLOptions +StdEnvVars
 # </Location>
-# these options must be enabled globally (in ssl.conf)
-# SSLVerifyClient require
-# SSLVerifyDepth  10
diff --git a/koji/__init__.py b/koji/__init__.py
index 490ffa49..dca39e2e 100644
--- a/koji/__init__.py
+++ b/koji/__init__.py
@@ -1620,7 +1620,8 @@ class ClientSession(object):
         certs['peer_ca_cert'] = serverca
 
         # 60 second timeout during login
-        self.proxy = ssl.XMLRPCServerProxy.PlgXMLRPCServerProxy(self.baseurl, certs, timeout=60, **self.proxyOpts)
+        # Append /login to the URL so we can only require client certs to be sent on login requests
+        self.proxy = ssl.XMLRPCServerProxy.PlgXMLRPCServerProxy(self.baseurl + '/ssllogin', certs, timeout=60, **self.proxyOpts)
         sinfo = self.callMethod('sslLogin', proxyuser)
         if not sinfo:
             raise AuthError, 'unable to obtain a session'
diff --git a/www/conf/kojiweb.conf b/www/conf/kojiweb.conf
index 478ce691..64573f26 100644
--- a/www/conf/kojiweb.conf
+++ b/www/conf/kojiweb.conf
@@ -44,11 +44,10 @@ Alias /koji "/usr/share/koji-web/scripts/"
 
 # uncomment this to enable authentication via SSL client certificates
 # <Location /koji/login>
+#     SSLVerifyClient require
+#     SSLVerifyDepth  10
 #     SSLOptions +StdEnvVars
 # </Location>
-# these options must be enabled globally (in ssl.conf)
-# SSLVerifyClient require
-# SSLVerifyDepth  10
 
 Alias /koji-static/ "/usr/share/koji-web/static/"