Make use of SocketCAFile config

Author: hyde-zhang

tls.go

@@ -35,33 +35,36 @@ func loadTLSConfig(settings *SessionSettings) (tlsConfig *tls.Config, err error)
 	}
 
 	if !settings.HasSetting(config.SocketPrivateKeyFile) && !settings.HasSetting(config.SocketCertificateFile) {
-		if allowSkipClientCerts {
-			tlsConfig = defaultTLSConfig()
-			tlsConfig.ServerName = serverName
-			tlsConfig.InsecureSkipVerify = insecureSkipVerify
-			setMinVersionExplicit(settings, tlsConfig)
+		if !allowSkipClientCerts {
+			return
 		}
-		return
-	}
-
-	privateKeyFile, err := settings.Setting(config.SocketPrivateKeyFile)
-	if err != nil {
-		return
-	}
-
-	certificateFile, err := settings.Setting(config.SocketCertificateFile)
-	if err != nil {
-		return
 	}
 
 	tlsConfig = defaultTLSConfig()
-	tlsConfig.Certificates = make([]tls.Certificate, 1)
 	tlsConfig.ServerName = serverName
 	tlsConfig.InsecureSkipVerify = insecureSkipVerify
 	setMinVersionExplicit(settings, tlsConfig)
 
-	if tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(certificateFile, privateKeyFile); err != nil {
-		return
+	if settings.HasSetting(config.SocketPrivateKeyFile) && settings.HasSetting(config.SocketCertificateFile) {
+
+		var privateKeyFile string
+		var certificateFile string
+
+		privateKeyFile, err = settings.Setting(config.SocketPrivateKeyFile)
+		if err != nil {
+			return
+		}
+
+		certificateFile, err = settings.Setting(config.SocketCertificateFile)
+		if err != nil {
+			return
+		}
+
+		tlsConfig.Certificates = make([]tls.Certificate, 1)
+
+		if tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(certificateFile, privateKeyFile); err != nil {
+			return
+		}
 	}
 
 	if !settings.HasSetting(config.SocketCAFile) {
@@ -86,7 +89,10 @@ func loadTLSConfig(settings *SessionSettings) (tlsConfig *tls.Config, err error)
 
 	tlsConfig.RootCAs = certPool
 	tlsConfig.ClientCAs = certPool
-	tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+
+	if !allowSkipClientCerts {
+		tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
+	}
 
 	return
 }