From a1bd7f1de37d765dd431d205317e71a7adcbb2fa Mon Sep 17 00:00:00 2001
From: Jared Newman <jnewman2501@gmail.com>
Date: Tue, 10 Apr 2018 22:55:21 -0700
Subject: [PATCH] Require client provide certs if RequireClientAuth=true

---
 server-state-machine.go | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/server-state-machine.go b/server-state-machine.go
index f91b22e..1346441 100644
--- a/server-state-machine.go
+++ b/server-state-machine.go
@@ -975,7 +975,10 @@ func (state serverStateWaitCert) Next(hr handshakeMessageReader) (HandshakeState
 
 	state.handshakeHash.Write(hm.Marshal())
 
-	if len(cert.CertificateList) == 0 {
+	if len(cert.CertificateList) == 0 && state.Config.RequireClientAuth {
+		logf(logTypeHandshake, "[ServerStateWaitCert] WARNING client did not provide a certificate and RequireClientAuth is set")
+		return nil, nil, AlertBadCertificate
+	} else if len(cert.CertificateList) == 0 {
 		logf(logTypeHandshake, "[ServerStateWaitCert] WARNING client did not provide a certificate")
 
 		logf(logTypeHandshake, "[ServerStateWaitCert] -> [ServerStateWaitFinished]")