From 5e972eb7640c339182c7888fb55a30ec80de4ea1 Mon Sep 17 00:00:00 2001
From: Bas Zoetekouw <bas.zoetekouw@surf.nl>
Date: Fri, 27 Oct 2023 09:39:10 +0200
Subject: [PATCH] only accept suigned client certs in x509 idp

---
 roles/surfstar-idp/templates/nginx.conf.j2 | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/roles/surfstar-idp/templates/nginx.conf.j2 b/roles/surfstar-idp/templates/nginx.conf.j2
index 33b4ddb8..c32559d8 100644
--- a/roles/surfstar-idp/templates/nginx.conf.j2
+++ b/roles/surfstar-idp/templates/nginx.conf.j2
@@ -24,7 +24,8 @@ server {
     add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
 
     include security_headers;
-    ssl_verify_client optional_no_ca;
+    ssl_client_certificate /etc/ssl/certs/ca-certificates.crt;
+    ssl_verify_client on;
     ssl_verify_depth 5;
 
     location ^~ /saml {