From 4ef6c58317ef57ad021d660e5ceb5e1a12a994cf Mon Sep 17 00:00:00 2001
From: Shivaram Lingamneni <slingamn@cs.stanford.edu>
Date: Tue, 5 May 2020 04:07:57 -0400
Subject: [PATCH] work around a chrome bug

---
 irc/config.go | 14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/irc/config.go b/irc/config.go
index acc6aae0..fd7742d9 100644
--- a/irc/config.go
+++ b/irc/config.go
@@ -743,14 +743,22 @@ func (conf *Config) Operators(oc map[string]*OperClass) (map[string]*Oper, error
 	return operators, nil
 }
 
-func loadTlsConfig(config TLSListenConfig) (tlsConfig *tls.Config, err error) {
+func loadTlsConfig(config TLSListenConfig, webSocket bool) (tlsConfig *tls.Config, err error) {
 	cert, err := tls.LoadX509KeyPair(config.Cert, config.Key)
 	if err != nil {
 		return nil, ErrInvalidCertKeyPair
 	}
+	clientAuth := tls.RequestClientCert
+	if webSocket {
+		// if Chrome receives a server request for a client certificate
+		// on a websocket connection, it will immediately disconnect:
+		// https://bugs.chromium.org/p/chromium/issues/detail?id=329884
+		// work around this behavior:
+		clientAuth = tls.NoClientCert
+	}
 	result := tls.Config{
 		Certificates: []tls.Certificate{cert},
-		ClientAuth:   tls.RequestClientCert,
+		ClientAuth:   clientAuth,
 	}
 	return &result, nil
 }
@@ -771,7 +779,7 @@ func (conf *Config) prepareListeners() (err error) {
 			return fmt.Errorf("%s is configured as a STS-only listener, but STS is disabled", addr)
 		}
 		if block.TLS.Cert != "" {
-			tlsConfig, err := loadTlsConfig(block.TLS)
+			tlsConfig, err := loadTlsConfig(block.TLS, block.WebSocket)
 			if err != nil {
 				return err
 			}