Currently when using TLS, the servers will accept requests from any client that has a certificate signed by the specified Certificate Authority. As such, I'd like to see custom server certificate validation supported. This will help enforce deny-by-default.

I'd like to be able to pass a flag, such as -cert-allowed-cn, that can be used to create a custom VerifyPeerCertificate (part of the crypto/tls package) and can be passed as a callback directly to the tls config. All this function needs to do is verify that the seen common-name is the same as the expected common-name.

Willing to submit a PR if the maintainers think this is a good idea. Thanks!