Merge current v2.9 into master
This commit is contained in:
Tom Moulard
commit
517917cd7c
16 changed files with 439 additions and 175 deletions
|
|
@ -158,19 +158,16 @@ func (m *Manager) Get(storeName, configName string) (*tls.Config, error) {
|
|||
m.lock.RLock()
|
||||
defer m.lock.RUnlock()
|
||||
|
||||
var tlsConfig *tls.Config
|
||||
var err error
|
||||
|
||||
sniStrict := false
|
||||
config, ok := m.configs[configName]
|
||||
if ok {
|
||||
sniStrict = config.SniStrict
|
||||
tlsConfig, err = buildTLSConfig(config)
|
||||
} else {
|
||||
err = fmt.Errorf("unknown TLS options: %s", configName)
|
||||
if !ok {
|
||||
return nil, fmt.Errorf("unknown TLS options: %s", configName)
|
||||
}
|
||||
|
||||
sniStrict = config.SniStrict
|
||||
tlsConfig, err := buildTLSConfig(config)
|
||||
if err != nil {
|
||||
tlsConfig = &tls.Config{}
|
||||
return nil, fmt.Errorf("building TLS config: %w", err)
|
||||
}
|
||||
|
||||
store := m.getStore(storeName)
|
||||
|
|
@ -178,7 +175,7 @@ func (m *Manager) Get(storeName, configName string) (*tls.Config, error) {
|
|||
err = fmt.Errorf("TLS store %s not found", storeName)
|
||||
}
|
||||
acmeTLSStore := m.getStore(tlsalpn01.ACMETLS1Protocol)
|
||||
if acmeTLSStore == nil {
|
||||
if acmeTLSStore == nil && err == nil {
|
||||
err = fmt.Errorf("ACME TLS store %s not found", tlsalpn01.ACMETLS1Protocol)
|
||||
}
|
||||
|
||||
|
|
@ -189,15 +186,12 @@ func (m *Manager) Get(storeName, configName string) (*tls.Config, error) {
|
|||
certificate := acmeTLSStore.GetBestCertificate(clientHello)
|
||||
if certificate == nil {
|
||||
log.Debug().Msgf("TLS: no certificate for TLSALPN challenge: %s", domainToCheck)
|
||||
// We want the user to eventually get the (alertUnrecognizedName) "unrecognized
|
||||
// name" error.
|
||||
// Unfortunately, if we returned an error here, since we can't use
|
||||
// the unexported error (errNoCertificates) that our caller (config.getCertificate
|
||||
// in crypto/tls) uses as a sentinel, it would report an (alertInternalError)
|
||||
// "internal error" instead of an alertUnrecognizedName.
|
||||
// Which is why we return no error, and we let the caller detect that there's
|
||||
// actually no certificate, and fall back into the flow that will report
|
||||
// the desired error.
|
||||
// We want the user to eventually get the (alertUnrecognizedName) "unrecognized name" error.
|
||||
// Unfortunately, if we returned an error here,
|
||||
// since we can't use the unexported error (errNoCertificates) that our caller (config.getCertificate in crypto/tls) uses as a sentinel,
|
||||
// it would report an (alertInternalError) "internal error" instead of an alertUnrecognizedName.
|
||||
// Which is why we return no error, and we let the caller detect that there's actually no certificate,
|
||||
// and fall back into the flow that will report the desired error.
|
||||
// https://cs.opensource.google/go/go/+/dev.boringcrypto.go1.17:src/crypto/tls/common.go;l=1058
|
||||
return nil, nil
|
||||
}
|
||||
|
|
|
|||
|
|
@ -119,8 +119,9 @@ func TestManager_Get(t *testing.T) {
|
|||
}}
|
||||
|
||||
tlsConfigs := map[string]Options{
|
||||
"foo": {MinVersion: "VersionTLS12"},
|
||||
"bar": {MinVersion: "VersionTLS11"},
|
||||
"foo": {MinVersion: "VersionTLS12"},
|
||||
"bar": {MinVersion: "VersionTLS11"},
|
||||
"invalid": {CurvePreferences: []string{"42"}},
|
||||
}
|
||||
|
||||
testCases := []struct {
|
||||
|
|
@ -140,15 +141,20 @@ func TestManager_Get(t *testing.T) {
|
|||
expectedMinVersion: uint16(tls.VersionTLS11),
|
||||
},
|
||||
{
|
||||
desc: "Get an tls config from an invalid name",
|
||||
desc: "Get a tls config from an invalid name",
|
||||
tlsOptionsName: "unknown",
|
||||
expectedError: true,
|
||||
},
|
||||
{
|
||||
desc: "Get an tls config from unexisting 'default' name",
|
||||
desc: "Get a tls config from unexisting 'default' name",
|
||||
tlsOptionsName: "default",
|
||||
expectedError: true,
|
||||
},
|
||||
{
|
||||
desc: "Get an invalid tls config",
|
||||
tlsOptionsName: "invalid",
|
||||
expectedError: true,
|
||||
},
|
||||
}
|
||||
|
||||
tlsManager := NewManager()
|
||||
|
|
@ -161,42 +167,13 @@ func TestManager_Get(t *testing.T) {
|
|||
|
||||
config, err := tlsManager.Get("default", test.tlsOptionsName)
|
||||
if test.expectedError {
|
||||
assert.Error(t, err)
|
||||
require.Nil(t, config)
|
||||
require.Error(t, err)
|
||||
return
|
||||
}
|
||||
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, config.MinVersion, test.expectedMinVersion)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestManager_Get_GetCertificate(t *testing.T) {
|
||||
testCases := []struct {
|
||||
desc string
|
||||
expectedGetConfigErr require.ErrorAssertionFunc
|
||||
expectedCertificate assert.ValueAssertionFunc
|
||||
}{
|
||||
{
|
||||
desc: "Get a default certificate from non-existing store",
|
||||
expectedGetConfigErr: require.Error,
|
||||
expectedCertificate: assert.Nil,
|
||||
},
|
||||
}
|
||||
|
||||
tlsManager := NewManager()
|
||||
|
||||
for _, test := range testCases {
|
||||
test := test
|
||||
t.Run(test.desc, func(t *testing.T) {
|
||||
t.Parallel()
|
||||
|
||||
config, err := tlsManager.Get("default", "foo")
|
||||
test.expectedGetConfigErr(t, err)
|
||||
|
||||
certificate, err := config.GetCertificate(&tls.ClientHelloInfo{})
|
||||
require.NoError(t, err)
|
||||
test.expectedCertificate(t, certificate)
|
||||
assert.Equal(t, config.MinVersion, test.expectedMinVersion)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue