Commit 6a208efb authored by Brad Fitzpatrick's avatar Brad Fitzpatrick

net/http: make ListenAndServeTLS treat GetCertificate as a set cert too

ListenAndServeTLS doesn't require cert and key file names if the
server's TLSConfig has a cert configured. This code was never updated
when the GetCertificate hook was added to *tls.Config, however.

Fixes #14268

Change-Id: Ib282ebb05697edd37ed8ff105972cbd1176d900b
Reviewed-on: https://go-review.googlesource.com/19381Reviewed-by: 's avatarRuss Cox <rsc@golang.org>
parent 41191e19
...@@ -1039,12 +1039,30 @@ func TestAutomaticHTTP2_Serve(t *testing.T) { ...@@ -1039,12 +1039,30 @@ func TestAutomaticHTTP2_Serve(t *testing.T) {
} }
func TestAutomaticHTTP2_ListenAndServe(t *testing.T) { func TestAutomaticHTTP2_ListenAndServe(t *testing.T) {
defer afterTest(t)
defer SetTestHookServerServe(nil)
cert, err := tls.X509KeyPair(internal.LocalhostCert, internal.LocalhostKey) cert, err := tls.X509KeyPair(internal.LocalhostCert, internal.LocalhostKey)
if err != nil { if err != nil {
t.Fatal(err) t.Fatal(err)
} }
testAutomaticHTTP2_ListenAndServe(t, &tls.Config{
Certificates: []tls.Certificate{cert},
})
}
func TestAutomaticHTTP2_ListenAndServe_GetCertificate(t *testing.T) {
cert, err := tls.X509KeyPair(internal.LocalhostCert, internal.LocalhostKey)
if err != nil {
t.Fatal(err)
}
testAutomaticHTTP2_ListenAndServe(t, &tls.Config{
GetCertificate: func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
return &cert, nil
},
})
}
func testAutomaticHTTP2_ListenAndServe(t *testing.T, tlsConf *tls.Config) {
defer afterTest(t)
defer SetTestHookServerServe(nil)
var ok bool var ok bool
var s *Server var s *Server
const maxTries = 5 const maxTries = 5
...@@ -1061,9 +1079,7 @@ Try: ...@@ -1061,9 +1079,7 @@ Try:
}) })
s = &Server{ s = &Server{
Addr: addr, Addr: addr,
TLSConfig: &tls.Config{ TLSConfig: tlsConf,
Certificates: []tls.Certificate{cert},
},
} }
errc := make(chan error, 1) errc := make(chan error, 1)
go func() { errc <- s.ListenAndServeTLS("", "") }() go func() { errc <- s.ListenAndServeTLS("", "") }()
......
...@@ -2233,10 +2233,11 @@ func ListenAndServeTLS(addr, certFile, keyFile string, handler Handler) error { ...@@ -2233,10 +2233,11 @@ func ListenAndServeTLS(addr, certFile, keyFile string, handler Handler) error {
// Accepted connections are configured to enable TCP keep-alives. // Accepted connections are configured to enable TCP keep-alives.
// //
// Filenames containing a certificate and matching private key for the // Filenames containing a certificate and matching private key for the
// server must be provided if the Server's TLSConfig.Certificates is // server must be provided if neither the Server's TLSConfig.Certificates
// not populated. If the certificate is signed by a certificate // nor TLSConfig.GetCertificate are populated. If the certificate is
// authority, the certFile should be the concatenation of the server's // signed by a certificate authority, the certFile should be the
// certificate, any intermediates, and the CA's certificate. // concatenation of the server's certificate, any intermediates, and
// the CA's certificate.
// //
// If srv.Addr is blank, ":https" is used. // If srv.Addr is blank, ":https" is used.
// //
...@@ -2258,7 +2259,8 @@ func (srv *Server) ListenAndServeTLS(certFile, keyFile string) error { ...@@ -2258,7 +2259,8 @@ func (srv *Server) ListenAndServeTLS(certFile, keyFile string) error {
config.NextProtos = append(config.NextProtos, "http/1.1") config.NextProtos = append(config.NextProtos, "http/1.1")
} }
if len(config.Certificates) == 0 || certFile != "" || keyFile != "" { configHasCert := len(config.Certificates) > 0 || config.GetCertificate != nil
if !configHasCert || certFile != "" || keyFile != "" {
var err error var err error
config.Certificates = make([]tls.Certificate, 1) config.Certificates = make([]tls.Certificate, 1)
config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile) config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment