diff --git a/server.go b/server.go index 4fef94cac9..cb4c823dfe 100644 --- a/server.go +++ b/server.go @@ -391,7 +391,17 @@ type Server struct { // By default standard logger from log package is used. Logger Logger - tlsConfig *tls.Config + // TLSConfig optionally provides a TLS configuration for use + // by ServeTLS, ServeTLSEmbed, ListenAndServeTLS, ListenAndServeTLSEmbed, + // AppendCert, AppendCertEmbed and NextProto. + // + // Note that this value is cloned by ServeTLS, ServeTLSEmbed, ListenAndServeTLS + // and ListenAndServeTLSEmbed, so it's not possible to modify the configuration + // with methods like tls.Config.SetSessionTicketKeys. + // To use SetSessionTicketKeys, use Server.Serve with a TLS Listener + // instead. + TLSConfig *tls.Config + nextProtos map[string]ServeHandler concurrency uint32 @@ -1464,8 +1474,9 @@ func (s *Server) NextProto(key string, nph ServeHandler) { if s.nextProtos == nil { s.nextProtos = make(map[string]ServeHandler) } + s.configTLS() - s.tlsConfig.NextProtos = append(s.tlsConfig.NextProtos, key) + s.TLSConfig.NextProtos = append(s.TLSConfig.NextProtos, key) s.nextProtos[key] = nph } @@ -1624,19 +1635,19 @@ func (s *Server) ServeTLS(ln net.Listener, certFile, keyFile string) error { s.mu.Unlock() return err } - if s.tlsConfig == nil { + if s.TLSConfig == nil { s.mu.Unlock() return errNoCertOrKeyProvided } // BuildNameToCertificate has been deprecated since 1.14. // But since we also support older versions we'll keep this here. - s.tlsConfig.BuildNameToCertificate() //nolint:staticcheck + s.TLSConfig.BuildNameToCertificate() //nolint:staticcheck s.mu.Unlock() return s.Serve( - tls.NewListener(ln, s.tlsConfig), + tls.NewListener(ln, s.TLSConfig.Clone()), ) } @@ -1654,19 +1665,19 @@ func (s *Server) ServeTLSEmbed(ln net.Listener, certData, keyData []byte) error s.mu.Unlock() return err } - if s.tlsConfig == nil { + if s.TLSConfig == nil { s.mu.Unlock() return errNoCertOrKeyProvided } // BuildNameToCertificate has been deprecated since 1.14. // But since we also support older versions we'll keep this here. - s.tlsConfig.BuildNameToCertificate() //nolint:staticcheck + s.TLSConfig.BuildNameToCertificate() //nolint:staticcheck s.mu.Unlock() return s.Serve( - tls.NewListener(ln, s.tlsConfig), + tls.NewListener(ln, s.TLSConfig.Clone()), ) } @@ -1685,8 +1696,8 @@ func (s *Server) AppendCert(certFile, keyFile string) error { } s.configTLS() + s.TLSConfig.Certificates = append(s.TLSConfig.Certificates, cert) - s.tlsConfig.Certificates = append(s.tlsConfig.Certificates, cert) return nil } @@ -1703,16 +1714,14 @@ func (s *Server) AppendCertEmbed(certData, keyData []byte) error { } s.configTLS() + s.TLSConfig.Certificates = append(s.TLSConfig.Certificates, cert) - s.tlsConfig.Certificates = append(s.tlsConfig.Certificates, cert) return nil } func (s *Server) configTLS() { - if s.tlsConfig == nil { - s.tlsConfig = &tls.Config{ - PreferServerCipherSuites: true, - } + if s.TLSConfig == nil { + s.TLSConfig = &tls.Config{} } }