From f63fcdb6d1775a0287bccad3cf42ddf2dc3ef986 Mon Sep 17 00:00:00 2001
From: Solderpunk <solderpunk@posteo.net>
Date: Sun, 19 Feb 2023 15:17:45 +0100
Subject: [PATCH] Do not request client certificates if we're never going to
 need them.

---
 main.go | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/main.go b/main.go
index 05ad01d..f511a3c 100644
--- a/main.go
+++ b/main.go
@@ -104,10 +104,11 @@ func do_main(config Config) int {
 		log.Println("Error loading TLS keypair: " + err.Error())
 		return 1
 	}
-	tlscfg := &tls.Config{
-		Certificates: []tls.Certificate{cert},
-		MinVersion:   tls.VersionTLS12,
-		ClientAuth:   tls.RequestClientCert,
+	var tlscfg tls.Config
+	tlscfg.Certificates = []tls.Certificate{cert}
+	tlscfg.MinVersion = tls.VersionTLS12
+	if len(config.CertificateZones) > 0 {
+		tlscfg.ClientAuth = tls.RequestClientCert
 	}
 
 	// Try to chdir to /, so we don't block any mountpoints
@@ -125,7 +126,7 @@ func do_main(config Config) int {
 	}
 
 	// Create TLS listener
-	listener, err := tls.Listen("tcp", ":"+strconv.Itoa(config.Port), tlscfg)
+	listener, err := tls.Listen("tcp", ":"+strconv.Itoa(config.Port), &tlscfg)
 	if err != nil {
 		log.Println("Error creating TLS listener: " + err.Error())
 		return 1