From eaa1196b44ddba40934489e059232fb45a495906 Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Sat, 16 Dec 2017 09:35:52 -0400 Subject: [PATCH] crypto/tls: document VerifyPeerCertificate behavior in relation to ClientAuth Change-Id: I3ff478912a5a178492d544d2f4ee9cc7570d9acc Reviewed-on: https://go-review.googlesource.com/84475 Reviewed-by: Filippo Valsorda Reviewed-by: Brad Fitzpatrick --- common.go | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/common.go b/common.go index 8d6f11e..e14b0ed 100644 --- a/common.go +++ b/common.go @@ -483,8 +483,9 @@ type Config struct { // // If normal verification fails then the handshake will abort before // considering this callback. If normal verification is disabled by - // setting InsecureSkipVerify then this callback will be considered but - // the verifiedChains argument will always be nil. + // setting InsecureSkipVerify, or (for a server) when ClientAuth is + // RequestClientCert or RequireAnyClientCert, then this callback will + // be considered but the verifiedChains argument will always be nil. VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error // RootCAs defines the set of root certificate authorities