Only the first TLS certificate is used rather than the full chain (#3)

2024-11-24 06:19:41 +00:00 · 2023-03-06 11:07:51 +00:00 · 2023-03-06 11:07:51 +00:00 · a6a4252a95
commit a6a4252a95
parent 527202b5be
2 changed files with 14 additions and 7 deletions
--- a/src/config/certificate.rs
+++ b/src/config/certificate.rs
@ -51,8 +51,8 @@ impl ResolvesServerCert for CertificateResolver {
 }

 impl Config {
-    pub fn rustls_certificate(&self, cert_id: &str) -> super::Result<Certificate> {
-        certs(&mut Cursor::new(self.file_contents((
+    pub fn rustls_certificate(&self, cert_id: &str) -> super::Result<Vec<Certificate>> {
+        let certs = certs(&mut Cursor::new(self.file_contents((
            "certificate",
            cert_id,
            "cert",
@ -62,8 +62,15 @@ impl Config {
        })?
        .into_iter()
        .map(Certificate)
-        .next()
-        .ok_or_else(|| format!("No certificates found in \"certificate.{cert_id}.cert\"."))
+        .collect::<Vec<_>>();
+
+        if !certs.is_empty() {
+            Ok(certs)
+        } else {
+            Err(format!(
+                "No certificates found in \"certificate.{cert_id}.cert\"."
+            ))
+        }
    }

    pub fn rustls_private_key(&self, cert_id: &str) -> super::Result<PrivateKey> {
--- a/src/config/server.rs
+++ b/src/config/server.rs
@ -116,7 +116,7 @@ impl Config {
                            value,
                            match self.value((prefix, "certificate")) {
                                Some(sni_cert_id) if sni_cert_id != cert_id => CertifiedKey {
-                                    cert: vec![self.rustls_certificate(sni_cert_id)?],
+                                    cert: self.rustls_certificate(sni_cert_id)?,
                                    key: any_supported_type(&self.rustls_private_key(sni_cert_id)?)
                                        .map_err(|err| {
                                            format!(
@ -127,7 +127,7 @@ impl Config {
                                    sct_list: None,
                                },
                                _ => CertifiedKey {
-                                    cert: vec![cert.clone()],
+                                    cert: cert.clone(),
                                    key:
                                        any_supported_type(&pki).map_err(|err| {
                                            format!(
@ -147,7 +147,7 @@ impl Config {

            // Add default certificate
            let default_cert = Some(Arc::new(CertifiedKey {
-                cert: vec![cert],
+                cert,
                key: any_supported_type(&pki)
                    .map_err(|err| format!("Failed to sign certificate id {cert_id:?}: {err}"))?,
                ocsp: None,