mirrors/hysteria
1
0
Fork 0
mirror of https://github.com/apernet/hysteria.git synced 2025-04-02 03:57:38 +03:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #1041 from apernet/fix-cert-check

Browse source 
fix: check if cert-key is loadable on server start
This commit is contained in:
Toby 2024-04-15 14:58:32 -07:00 committed by GitHub
commit bf1cc0847e
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 15 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

15
app/cmd/server.go
View file

@ -10,6 +10,7 @@ import (
"net/http"
"net/http/httputil"
"net/url"
"os"
"strconv"
"strings"
"time"
@ -254,6 +255,20 @@ func (c *serverConfig) fillTLSConfig(hyConfig *server.Config) error {
if c.TLS.Cert == "" || c.TLS.Key == "" {
return configError{Field: "tls", Err: errors.New("empty cert or key path")}
}
// Try loading the cert-key pair here to catch errors early
// (e.g. invalid files or insufficient permissions)
certPEMBlock, err := os.ReadFile(c.TLS.Cert)
if err != nil {
return configError{Field: "tls.cert", Err: err}
}
keyPEMBlock, err := os.ReadFile(c.TLS.Key)
if err != nil {
return configError{Field: "tls.key", Err: err}
}
_, err = tls.X509KeyPair(certPEMBlock, keyPEMBlock)
if err != nil {
return configError{Field: "tls", Err: fmt.Errorf("invalid cert-key pair: %w", err)}
}
// Use GetCertificate instead of Certificates so that
// users can update the cert without restarting the server.
hyConfig.TLSConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {