Update comment about client verification.

apache/httpd.conf.in

@@ -1328,7 +1328,14 @@ CustomLog @prefix@/log/apache_ssl_request_log \
 SSLCACertificateFile @prefix@/etc/genica.bundle
 # Another bundle of CRLs.
 SSLCARevocationFile @prefix@/etc/genicrl.bundle
-# Must use optional to avoid renegotiation, which is broken.
+#
+# THIS HAS TO BE optional! Why? Cause recent security patches disables SSL
+# renegotiation, which is needed when a subdir turns on ssl client
+# verification (as we used to). Now, we set it to "optional",
+# which avoids the renegotiation problem. The backend scripts MUST
+# check their environment to ensure they are always invoked by a client
+# supplying a verifiable certificate. 
+#
 SSLVerifyClient optional
 
 # Reject the unencrypted certs that all users get.