From a6a4252a95ae71da5f00c7cbb88c5c7d4878e31f Mon Sep 17 00:00:00 2001
From: Mauro D <mauro@stalw.art>
Date: Mon, 6 Mar 2023 11:07:51 +0000
Subject: [PATCH]  Only the first TLS certificate is used rather than the full
 chain (#3)

---
 src/config/certificate.rs | 15 +++++++++++----
 src/config/server.rs      |  6 +++---
 2 files changed, 14 insertions(+), 7 deletions(-)

diff --git a/src/config/certificate.rs b/src/config/certificate.rs
index 9e87eab..8954261 100644
--- a/src/config/certificate.rs
+++ b/src/config/certificate.rs
@@ -51,8 +51,8 @@ impl ResolvesServerCert for CertificateResolver {
 }
 
 impl Config {
-    pub fn rustls_certificate(&self, cert_id: &str) -> super::Result<Certificate> {
-        certs(&mut Cursor::new(self.file_contents((
+    pub fn rustls_certificate(&self, cert_id: &str) -> super::Result<Vec<Certificate>> {
+        let certs = certs(&mut Cursor::new(self.file_contents((
             "certificate",
             cert_id,
             "cert",
@@ -62,8 +62,15 @@ impl Config {
         })?
         .into_iter()
         .map(Certificate)
-        .next()
-        .ok_or_else(|| format!("No certificates found in \"certificate.{cert_id}.cert\"."))
+        .collect::<Vec<_>>();
+
+        if !certs.is_empty() {
+            Ok(certs)
+        } else {
+            Err(format!(
+                "No certificates found in \"certificate.{cert_id}.cert\"."
+            ))
+        }
     }
 
     pub fn rustls_private_key(&self, cert_id: &str) -> super::Result<PrivateKey> {
diff --git a/src/config/server.rs b/src/config/server.rs
index b862a76..4be6139 100644
--- a/src/config/server.rs
+++ b/src/config/server.rs
@@ -116,7 +116,7 @@ impl Config {
                             value,
                             match self.value((prefix, "certificate")) {
                                 Some(sni_cert_id) if sni_cert_id != cert_id => CertifiedKey {
-                                    cert: vec![self.rustls_certificate(sni_cert_id)?],
+                                    cert: self.rustls_certificate(sni_cert_id)?,
                                     key: any_supported_type(&self.rustls_private_key(sni_cert_id)?)
                                         .map_err(|err| {
                                             format!(
@@ -127,7 +127,7 @@ impl Config {
                                     sct_list: None,
                                 },
                                 _ => CertifiedKey {
-                                    cert: vec![cert.clone()],
+                                    cert: cert.clone(),
                                     key:
                                         any_supported_type(&pki).map_err(|err| {
                                             format!(
@@ -147,7 +147,7 @@ impl Config {
 
             // Add default certificate
             let default_cert = Some(Arc::new(CertifiedKey {
-                cert: vec![cert],
+                cert,
                 key: any_supported_type(&pki)
                     .map_err(|err| format!("Failed to sign certificate id {cert_id:?}: {err}"))?,
                 ocsp: None,