diff options
Diffstat (limited to 'modules')
-rw-r--r-- | modules/caddytls/connpolicy.go | 8 |
1 files changed, 1 insertions, 7 deletions
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go index 3a18061..fec1fe2 100644 --- a/modules/caddytls/connpolicy.go +++ b/modules/caddytls/connpolicy.go @@ -334,7 +334,7 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro case "require_and_verify": cfg.ClientAuth = tls.RequireAndVerifyClientCert default: - return fmt.Errorf("client auth mode %s not allowed", clientauth.Mode) + return fmt.Errorf("client auth mode not recognized: %s", clientauth.Mode) } } else { // otherwise, set a safe default mode @@ -361,7 +361,6 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro // enforce leaf verification by writing our own verify function if len(clientauth.TrustedLeafCerts) > 0 { clientauth.trustedLeafCerts = []*x509.Certificate{} - for _, clientCertString := range clientauth.TrustedLeafCerts { clientCert, err := decodeBase64DERCert(clientCertString) if err != nil { @@ -369,10 +368,8 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro } clientauth.trustedLeafCerts = append(clientauth.trustedLeafCerts, clientCert) } - // if a custom verification function already exists, wrap it clientauth.existingVerifyPeerCert = cfg.VerifyPeerCertificate - cfg.VerifyPeerCertificate = clientauth.verifyPeerCertificate } @@ -411,13 +408,10 @@ func (clientauth ClientAuthentication) verifyPeerCertificate(rawCerts [][]byte, // decodeBase64DERCert base64-decodes, then DER-decodes, certStr. func decodeBase64DERCert(certStr string) (*x509.Certificate, error) { - // decode base64 derBytes, err := base64.StdEncoding.DecodeString(certStr) if err != nil { return nil, err } - - // parse the DER-encoded certificate return x509.ParseCertificate(derBytes) } |