From eaa1196b44ddba40934489e059232fb45a495906 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <hi@filippo.io>
Date: Sat, 16 Dec 2017 09:35:52 -0400
Subject: [PATCH] crypto/tls: document VerifyPeerCertificate behavior in
 relation to ClientAuth

Change-Id: I3ff478912a5a178492d544d2f4ee9cc7570d9acc
Reviewed-on: https://go-review.googlesource.com/84475
Reviewed-by: Filippo Valsorda <hi@filippo.io>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
---
 common.go | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/common.go b/common.go
index 8d6f11e..e14b0ed 100644
--- a/common.go
+++ b/common.go
@@ -483,8 +483,9 @@ type Config struct {
 	//
 	// If normal verification fails then the handshake will abort before
 	// considering this callback. If normal verification is disabled by
-	// setting InsecureSkipVerify then this callback will be considered but
-	// the verifiedChains argument will always be nil.
+	// setting InsecureSkipVerify, or (for a server) when ClientAuth is
+	// RequestClientCert or RequireAnyClientCert, then this callback will
+	// be considered but the verifiedChains argument will always be nil.
 	VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
 
 	// RootCAs defines the set of root certificate authorities