From d42d39b4bc237c628f9a95363b28044cb7a7fe72 Mon Sep 17 00:00:00 2001
From: moscowchill <72578879+moscowchill@users.noreply.github.com>
Date: Thu, 12 Feb 2026 23:42:54 +0800
Subject: [PATCH] caddytls: Return errors instead of nil in client auth
 provisioning (#7464)

Two error returns in ClientAuthentication.provision() were
returning nil instead of the actual error, silently swallowing
failures when converting PEM files to DER and when provisioning
the CA pool. This could cause mTLS client authentication to
silently fall back to the system trust store, accepting any
client certificate signed by a public CA instead of restricting
to the configured trust anchors.
---
 modules/caddytls/connpolicy.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index 036c5fb92..6b6dc3636 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -784,7 +784,7 @@ func (clientauth *ClientAuthentication) provision(ctx caddy.Context) error {
 		for _, fpath := range clientauth.TrustedCACertPEMFiles {
 			ders, err := convertPEMFilesToDER(fpath)
 			if err != nil {
-				return nil
+				return err
 			}
 			clientauth.TrustedCACerts = append(clientauth.TrustedCACerts, ders...)
 		}
@@ -797,7 +797,7 @@ func (clientauth *ClientAuthentication) provision(ctx caddy.Context) error {
 		}
 		err := caPool.Provision(ctx)
 		if err != nil {
-			return nil
+			return err
 		}
 		clientauth.ca = caPool
 	}