1 files changed, 1 insertions, 7 deletions

diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index 3a18061..fec1fe2 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -334,7 +334,7 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro
 		case "require_and_verify":
 			cfg.ClientAuth = tls.RequireAndVerifyClientCert
 		default:
-			return fmt.Errorf("client auth mode %s not allowed", clientauth.Mode)
+			return fmt.Errorf("client auth mode not recognized: %s", clientauth.Mode)
 		}
 	} else {
 		// otherwise, set a safe default mode
@@ -361,7 +361,6 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro
 	// enforce leaf verification by writing our own verify function
 	if len(clientauth.TrustedLeafCerts) > 0 {
 		clientauth.trustedLeafCerts = []*x509.Certificate{}
-
 		for _, clientCertString := range clientauth.TrustedLeafCerts {
 			clientCert, err := decodeBase64DERCert(clientCertString)
 			if err != nil {
@@ -369,10 +368,8 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro
 			}
 			clientauth.trustedLeafCerts = append(clientauth.trustedLeafCerts, clientCert)
 		}
-
 		// if a custom verification function already exists, wrap it
 		clientauth.existingVerifyPeerCert = cfg.VerifyPeerCertificate
-
 		cfg.VerifyPeerCertificate = clientauth.verifyPeerCertificate
 	}
 
@@ -411,13 +408,10 @@ func (clientauth ClientAuthentication) verifyPeerCertificate(rawCerts [][]byte,
 
 // decodeBase64DERCert base64-decodes, then DER-decodes, certStr.
 func decodeBase64DERCert(certStr string) (*x509.Certificate, error) {
-	// decode base64
 	derBytes, err := base64.StdEncoding.DecodeString(certStr)
 	if err != nil {
 		return nil, err
 	}
-
-	// parse the DER-encoded certificate
 	return x509.ParseCertificate(derBytes)
 }