Just like for tls.Config.GetCertificate the http.Server.ServeTLS method
should be checking tls.Config.GetConfigForClient before trying top open
the specified certFile/keyFile.
This was previously fixed for crypto/tls when using tls.Listen in
CL205059, but the same change for net/http was missed. I've added a
comment src/crypto/tls/tls.go in the relevant section in the hope that
any future changes of a similar nature consider will consider updating
net/http as needed as well.
Change-Id: I312303bc497d92aa2f4627fe2620c70779cbcc99
GitHub-Last-Rev:
6ed29a900816a13690a9f3e26476d9bc1055a6f7
GitHub-Pull-Request: golang/go#66795
Reviewed-on: https://go-review.googlesource.com/c/go/+/578396
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
// The configuration config must be non-nil and must include
// at least one certificate or else set GetCertificate.
func Listen(network, laddr string, config *Config) (net.Listener, error) {
+ // If this condition changes, consider updating http.Server.ServeTLS too.
if config == nil || len(config.Certificates) == 0 &&
config.GetCertificate == nil && config.GetConfigForClient == nil {
return nil, errors.New("tls: neither Certificates, GetCertificate, nor GetConfigForClient set in Config")
})
}
+func TestAutomaticHTTP2_ListenAndServe_GetConfigForClient(t *testing.T) {
+ cert, err := tls.X509KeyPair(testcert.LocalhostCert, testcert.LocalhostKey)
+ if err != nil {
+ t.Fatal(err)
+ }
+ conf := &tls.Config{
+ // GetConfigForClient requires specifying a full tls.Config so we must set
+ // NextProtos ourselves.
+ NextProtos: []string{"h2"},
+ Certificates: []tls.Certificate{cert},
+ }
+ testAutomaticHTTP2_ListenAndServe(t, &tls.Config{
+ GetConfigForClient: func(clientHello *tls.ClientHelloInfo) (*tls.Config, error) {
+ return conf, nil
+ },
+ })
+}
+
func testAutomaticHTTP2_ListenAndServe(t *testing.T, tlsConf *tls.Config) {
CondSkipHTTP2(t)
// Not parallel: uses global test hooks.
//
// Files containing a certificate and matching private key for the
// server must be provided if neither the [Server]'s
-// TLSConfig.Certificates nor TLSConfig.GetCertificate are populated.
+// TLSConfig.Certificates, TLSConfig.GetCertificate nor
+// config.GetConfigForClient are populated.
// If the certificate is signed by a certificate authority, the
// certFile should be the concatenation of the server's certificate,
// any intermediates, and the CA's certificate.
config.NextProtos = append(config.NextProtos, "http/1.1")
}
- configHasCert := len(config.Certificates) > 0 || config.GetCertificate != nil
+ configHasCert := len(config.Certificates) > 0 || config.GetCertificate != nil || config.GetConfigForClient != nil
if !configHasCert || certFile != "" || keyFile != "" {
var err error
config.Certificates = make([]tls.Certificate, 1)