From 7e4f4d3488481d3005aff56e1208ba8ae4396dc4 Mon Sep 17 00:00:00 2001
From: Jun Kurihara <junkurihara@users.noreply.github.com>
Date: Wed, 12 Oct 2022 15:40:56 +0900
Subject: [PATCH] workaround

---
 TODO.md            |  4 +++-
 src/backend/mod.rs | 24 +++++++++++++++---------
 2 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/TODO.md b/TODO.md
index c994cb1..2a10f18 100644
--- a/TODO.md
+++ b/TODO.md
@@ -7,5 +7,7 @@
 - Options to serve custom http_error page.
 - Prometheus metrics
 - Documentation
-- Client certificate -> support intermediate certificate. Currently, only supports client certificates directly signed by root CA.
+- Client certificate
+  - support intermediate certificate. Currently, only supports client certificates directly signed by root CA.
+  - split rustls::server::ServerConfig for SNIs
 - etc.
diff --git a/src/backend/mod.rs b/src/backend/mod.rs
index c62b27a..bc701e0 100644
--- a/src/backend/mod.rs
+++ b/src/backend/mod.rs
@@ -231,16 +231,22 @@ impl Backends {
     // debug!("Load certificate chain for {} server_name's", cnt);
 
     //////////////
-    // TODO: Client Certs
-    let client_certs_verifier = rustls::server::AllowAnyAnonymousOrAuthenticatedClient::new(client_ca_roots);
-    // No ClientCert or WithClientCert
-    // let client_certs_verifier = rustls::server::AllowAnyAuthenticatedClient::new(client_ca_roots);
+    let mut server_config = if client_ca_key_ids.is_empty() {
+      ServerConfig::builder()
+        .with_safe_defaults()
+        .with_no_client_auth()
+        .with_cert_resolver(Arc::new(resolver))
+    } else {
+      // TODO: Client Certs
+      // No ClientCert or WithClientCert
+      // let client_certs_verifier = rustls::server::AllowAnyAuthenticatedClient::new(client_ca_roots);
+      let client_certs_verifier = rustls::server::AllowAnyAnonymousOrAuthenticatedClient::new(client_ca_roots);
+      ServerConfig::builder()
+        .with_safe_defaults()
+        .with_client_cert_verifier(client_certs_verifier)
+        .with_cert_resolver(Arc::new(resolver))
+    };
 
-    let mut server_config = ServerConfig::builder()
-      .with_safe_defaults()
-      // .with_no_client_auth()
-      .with_client_cert_verifier(client_certs_verifier)
-      .with_cert_resolver(Arc::new(resolver));
     //////////////////////////////
 
     #[cfg(feature = "http3")]