diff options
| author | Chance Zibolski <chance.zibolski@gmail.com> | 2024-06-07 15:24:08 +0000 |
|---|---|---|
| committer | Damien Neil <dneil@google.com> | 2024-06-07 17:57:01 +0000 |
| commit | 640067f28a95bbc32aa701ceea204e28e510b04f (patch) | |
| tree | 084c17693538d527ff885999cf57929db6340add /src/net/http/server.go | |
| parent | 0b72631a8229bcb86913f4855e217ddedbfbbb46 (diff) | |
| download | go-640067f28a95bbc32aa701ceea204e28e510b04f.tar.xz | |
net/http: check GetConfigForClient in server.ServeTLS
Just like for tls.Config.GetCertificate the http.Server.ServeTLS method
should be checking tls.Config.GetConfigForClient before trying top open
the specified certFile/keyFile.
This was previously fixed for crypto/tls when using tls.Listen in
CL205059, but the same change for net/http was missed. I've added a
comment src/crypto/tls/tls.go in the relevant section in the hope that
any future changes of a similar nature consider will consider updating
net/http as needed as well.
Change-Id: I312303bc497d92aa2f4627fe2620c70779cbcc99
GitHub-Last-Rev: 6ed29a900816a13690a9f3e26476d9bc1055a6f7
GitHub-Pull-Request: golang/go#66795
Reviewed-on: https://go-review.googlesource.com/c/go/+/578396
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Diffstat (limited to 'src/net/http/server.go')
| -rw-r--r-- | src/net/http/server.go | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/net/http/server.go b/src/net/http/server.go index b9a6edd7ad..190f565013 100644 --- a/src/net/http/server.go +++ b/src/net/http/server.go @@ -3370,7 +3370,8 @@ func (srv *Server) Serve(l net.Listener) error { // // Files containing a certificate and matching private key for the // server must be provided if neither the [Server]'s -// TLSConfig.Certificates nor TLSConfig.GetCertificate are populated. +// TLSConfig.Certificates, TLSConfig.GetCertificate nor +// config.GetConfigForClient are populated. // If the certificate is signed by a certificate authority, the // certFile should be the concatenation of the server's certificate, // any intermediates, and the CA's certificate. @@ -3389,7 +3390,7 @@ func (srv *Server) ServeTLS(l net.Listener, certFile, keyFile string) error { config.NextProtos = append(config.NextProtos, "http/1.1") } - configHasCert := len(config.Certificates) > 0 || config.GetCertificate != nil + configHasCert := len(config.Certificates) > 0 || config.GetCertificate != nil || config.GetConfigForClient != nil if !configHasCert || certFile != "" || keyFile != "" { var err error config.Certificates = make([]tls.Certificate, 1) |