From 74b95be176d121406b9fdfb2fbfd33028fc4fe67 Mon Sep 17 00:00:00 2001
From: Laszlo Soos <sooslaca@gmail.com>
Date: Thu, 9 Sep 2021 09:06:13 +0000
Subject: [PATCH] crypto/tls: populate peerCertificates before validation fails

---
 src/crypto/tls/handshake_server.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
index 43f30e2fefd4fb..321820efc77d40 100644
--- a/src/crypto/tls/handshake_server.go
+++ b/src/crypto/tls/handshake_server.go
@@ -810,6 +810,8 @@ func (c *Conn) processCertsFromClient(certificate Certificate) error {
 		return errors.New("tls: client didn't provide a certificate")
 	}
 
+	c.peerCertificates = certs
+
 	if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 {
 		opts := x509.VerifyOptions{
 			Roots:         c.config.ClientCAs,
@@ -831,7 +833,6 @@ func (c *Conn) processCertsFromClient(certificate Certificate) error {
 		c.verifiedChains = chains
 	}
 
-	c.peerCertificates = certs
 	c.ocspResponse = certificate.OCSPStaple
 	c.scts = certificate.SignedCertificateTimestamps