Require client certs verification when SocketUseSSL N

Author: hyde-zhang

tls.go

@@ -67,6 +67,10 @@ func loadTLSConfig(settings *SessionSettings) (tlsConfig *tls.Config, err error)
 		}
 	}
 
+	if !allowSkipClientCerts {
+		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+	}
+
 	if !settings.HasSetting(config.SocketCAFile) {
 		return
 	}
@@ -90,10 +94,6 @@ func loadTLSConfig(settings *SessionSettings) (tlsConfig *tls.Config, err error)
 	tlsConfig.RootCAs = certPool
 	tlsConfig.ClientCAs = certPool
 
-	if !allowSkipClientCerts {
-		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
-	}
-
 	return
 }
 

tls_test.go

@@ -60,7 +60,7 @@ func (s *TLSTestSuite) TestLoadTLSNoCA() {
 	s.Len(tlsConfig.Certificates, 1)
 	s.Nil(tlsConfig.RootCAs)
 	s.Nil(tlsConfig.ClientCAs)
-	s.Equal(tls.NoClientCert, tlsConfig.ClientAuth)
+	s.Equal(tls.RequireAndVerifyClientCert, tlsConfig.ClientAuth)
 }
 
 func (s *TLSTestSuite) TestLoadTLSWithBadCA() {
@@ -107,6 +107,16 @@ func (s *TLSTestSuite) TestLoadTLSWithoutSSLWithOnlyCA() {
 	s.Nil(tlsConfig)
 }
 
+func (s *TLSTestSuite) TestLoadTLSAllowSkipClientCerts() {
+	s.settings.GlobalSettings().Set(config.SocketUseSSL, "Y")
+
+	tlsConfig, err := loadTLSConfig(s.settings.GlobalSettings())
+	s.Nil(err)
+	s.NotNil(tlsConfig)
+
+	s.Equal(tls.NoClientCert, tlsConfig.ClientAuth)
+}
+
 func (s *TLSTestSuite) TestServerNameUseSSL() {
 	s.settings.GlobalSettings().Set(config.SocketUseSSL, "Y")
 	s.settings.GlobalSettings().Set(config.SocketServerName, "DummyServerNameUseSSL")