crypto/tls: call GetCertificate if Certificates is empty.
This change causes the GetCertificate callback to be called if
Certificates is empty. Previously this configuration would result in an
error.
This allows people to have servers that depend entirely on dynamic
certificate selection, even when the client doesn't send SNI.
Fixes #9208.
Change-Id: I2f5a5551215958b88b154c64a114590300dfc461
Reviewed-on: https://go-review.googlesource.com/8792
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Run-TryBot: Adam Langley <agl@golang.org>
diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
index e6e0b02..26c3333 100644
--- a/src/crypto/tls/handshake_server.go
+++ b/src/crypto/tls/handshake_server.go
@@ -189,22 +189,14 @@
}
}
- if len(config.Certificates) == 0 {
+ if hs.cert, err = config.getCertificate(&ClientHelloInfo{
+ CipherSuites: hs.clientHello.cipherSuites,
+ ServerName: hs.clientHello.serverName,
+ SupportedCurves: hs.clientHello.supportedCurves,
+ SupportedPoints: hs.clientHello.supportedPoints,
+ }); err != nil {
c.sendAlert(alertInternalError)
- return false, errors.New("tls: no certificates configured")
- }
- hs.cert = &config.Certificates[0]
- if len(hs.clientHello.serverName) > 0 {
- chi := &ClientHelloInfo{
- CipherSuites: hs.clientHello.cipherSuites,
- ServerName: hs.clientHello.serverName,
- SupportedCurves: hs.clientHello.supportedCurves,
- SupportedPoints: hs.clientHello.supportedPoints,
- }
- if hs.cert, err = config.getCertificate(chi); err != nil {
- c.sendAlert(alertInternalError)
- return false, err
- }
+ return false, err
}
if hs.clientHello.scts {
hs.hello.scts = hs.cert.SignedCertificateTimestamps
