Cutlery/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2026-02-14 23:42:08 -05:00
Code Issues Actions Packages Projects Releases Wiki Activity

caddytls: Return errors instead of nil in client auth provisioning (#7464)

Browse Source 
Two error returns in ClientAuthentication.provision() were
returning nil instead of the actual error, silently swallowing
failures when converting PEM files to DER and when provisioning
the CA pool. This could cause mTLS client authentication to
silently fall back to the system trust store, accepting any
client certificate signed by a public CA instead of restricting
to the configured trust anchors.
This commit is contained in:
moscowchill 2026-02-12 23:42:54 +08:00 committed by GitHub
parent 0188ef2e62
commit d42d39b4bc
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
modules/caddytls/connpolicy.go
View File

@ -784,7 +784,7 @@ func (clientauth *ClientAuthentication) provision(ctx caddy.Context) error {
for _, fpath := range clientauth.TrustedCACertPEMFiles {
ders, err := convertPEMFilesToDER(fpath)
if err != nil {
return nil
return err
}
clientauth.TrustedCACerts = append(clientauth.TrustedCACerts, ders...)
}
@ -797,7 +797,7 @@ func (clientauth *ClientAuthentication) provision(ctx caddy.Context) error {
}
err := caPool.Provision(ctx)
if err != nil {
return nil
return err
}
clientauth.ca = caPool
}