Try cert Manager before asking permission
Managers are expected to have 'asking permission' built in
This commit is contained in:
parent
f7ea6fb698
commit
7681257d05
@ -348,7 +348,9 @@ type Revoker interface {
|
||||
type Manager interface {
|
||||
// GetCertificate returns the certificate to use to complete the handshake.
|
||||
// Since this is called during every TLS handshake, it must be very fast and not block.
|
||||
// Returning (nil, nil) is valid and is simply treated as a no-op.
|
||||
// Returning (nil, nil) is valid and is simply treated as a no-op. Return (nil, nil)
|
||||
// when the Manager has no certificate for this handshake. Return an error or a
|
||||
// certificate only if the Manager is supposed to get a certificate for this handshake.
|
||||
GetCertificate(context.Context, *tls.ClientHelloInfo) (*tls.Certificate, error)
|
||||
}
|
||||
|
||||
|
13
handshake.go
13
handshake.go
@ -316,13 +316,6 @@ func (cfg *Config) getCertDuringHandshake(ctx context.Context, hello *tls.Client
|
||||
}()
|
||||
}
|
||||
|
||||
// Make sure a certificate is allowed for the given name. If not, it doesn't
|
||||
// make sense to try loading one from storage (issue #185), getting it from a
|
||||
// certificate manager, or obtaining one from an issuer.
|
||||
if err := cfg.checkIfCertShouldBeObtained(ctx, name, false); err != nil {
|
||||
return Certificate{}, fmt.Errorf("certificate is not allowed for server name %s: %w", name, err)
|
||||
}
|
||||
|
||||
// If an external Manager is configured, try to get it from them.
|
||||
// Only continue to use our own logic if it returns empty+nil.
|
||||
externalCert, err := cfg.getCertFromAnyCertManager(ctx, hello, logger)
|
||||
@ -333,6 +326,12 @@ func (cfg *Config) getCertDuringHandshake(ctx context.Context, hello *tls.Client
|
||||
return externalCert, nil
|
||||
}
|
||||
|
||||
// Make sure a certificate is allowed for the given name. If not, it doesn't make sense
|
||||
// to try loading one from storage (issue #185) or obtaining one from an issuer.
|
||||
if err := cfg.checkIfCertShouldBeObtained(ctx, name, false); err != nil {
|
||||
return Certificate{}, fmt.Errorf("certificate is not allowed for server name %s: %w", name, err)
|
||||
}
|
||||
|
||||
// We might be able to load or obtain a needed certificate. Load from
|
||||
// storage if OnDemand is enabled, or if there is the possibility that
|
||||
// a statically-managed cert was evicted from a full cache.
|
||||
|
Loading…
Reference in New Issue
Block a user