crypto/tls: document VerifyPeerCertificate behavior in relation to ClientAuth

Change-Id: I3ff478912a5a178492d544d2f4ee9cc7570d9acc Reviewed-on: https://go-review.googlesource.com/84475Reviewed-by: Filippo Valsorda <hi@filippo.io> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

crypto/tls: document VerifyPeerCertificate behavior in relation to ClientAuth
Change-Id: I3ff478912a5a178492d544d2f4ee9cc7570d9acc Reviewed-on: https://go-review.googlesource.com/84475Reviewed-by: Filippo Valsorda <hi@filippo.io> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
92b142a6 · Filippo Valsorda · Adam Langley · 38c561cb · 92b142a6
Commit 92b142a6 authored Dec 16, 2017 by Filippo Valsorda Committed by Adam Langley Dec 31, 2017
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

common.go src/crypto/tls/common.go +3 -2

No files found.
--- a/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@@ -406,8 +406,9 @@ type Config struct {
 	//
 	// If normal verification fails then the handshake will abort before
 	// considering this callback. If normal verification is disabled by
-	// setting InsecureSkipVerify then this callback will be considered but
-	// the verifiedChains argument will always be nil.
+	// setting InsecureSkipVerify, or (for a server) when ClientAuth is
+	// RequestClientCert or RequireAnyClientCert, then this callback will
+	// be considered but the verifiedChains argument will always be nil.
 	VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error

 	// RootCAs defines the set of root certificate authorities