From d9c9cc269984cdcc984a43f1500ba9651e63a919 Mon Sep 17 00:00:00 2001
From: ale <ale@incal.net>
Date: Sun, 23 Aug 2020 19:08:32 +0100
Subject: [PATCH] Require client certificates conditionally on the presence of
 a CA

---
 serverutil/tls.go | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/serverutil/tls.go b/serverutil/tls.go
index 053e74d..58dbf6c 100644
--- a/serverutil/tls.go
+++ b/serverutil/tls.go
@@ -110,21 +110,26 @@ func (c *TLSServerConfig) TLSConfig() (*tls.Config, error) {
 		return nil, err
 	}
 
-	cas, err := common.LoadCA(c.CA)
-	if err != nil {
-		return nil, err
-	}
-
 	// Set some TLS-level parameters (cipher-related), assuming
 	// we're using EC keys.
 	tlsConf := &tls.Config{
 		Certificates:             []tls.Certificate{cert},
-		ClientAuth:               tls.RequireAndVerifyClientCert,
-		ClientCAs:                cas,
 		CipherSuites:             serverCiphers,
 		MinVersion:               tls.VersionTLS12,
 		PreferServerCipherSuites: true,
 	}
+
+	// Require client certificates if a CA is specified.
+	if c.CA != "" {
+		cas, err := common.LoadCA(c.CA)
+		if err != nil {
+			return nil, err
+		}
+
+		tlsConf.ClientAuth = tls.RequireAndVerifyClientCert
+		tlsConf.ClientCAs = cas
+	}
+
 	tlsConf.BuildNameToCertificate()
 
 	return tlsConf, nil
-- 
GitLab