Merge pull request #152 from hyperledger/fix_client_mtls

Provide the client certificate without relying on golang matching it
hyperledger · Oct 14, 2024 · 9da872a · 9da872a
2 parents 7717b7b + f2d135c
commit 9da872a
Showing 1 changed file with 16 additions and 2 deletions.
diff --git a/pkg/fftls/fftls.go b/pkg/fftls/fftls.go
@@ -89,20 +89,34 @@ func NewTLSConfig(ctx context.Context, config *Config, tlsType TLSType) (*tls.Co
 
 	tlsConfig.RootCAs = rootCAs
 
+	var configuredCert *tls.Certificate
 	// For mTLS we need both the cert and key
 	if config.CertFile != "" && config.KeyFile != "" {
 		// Read the key pair to create certificate
 		cert, err := tls.LoadX509KeyPair(config.CertFile, config.KeyFile)
 		if err != nil {
 			return nil, i18n.WrapError(ctx, err, i18n.MsgInvalidKeyPairFiles)
 		}
-		tlsConfig.Certificates = []tls.Certificate{cert}
+		configuredCert = &cert
 	} else if config.Cert != "" && config.Key != "" {
 		cert, err := tls.X509KeyPair([]byte(config.Cert), []byte(config.Key))
 		if err != nil {
 			return nil, i18n.WrapError(ctx, err, i18n.MsgInvalidKeyPairFiles)
 		}
-		tlsConfig.Certificates = []tls.Certificate{cert}
+		configuredCert = &cert
+	}
+
+	if configuredCert != nil {
+		// Rather than letting Golang pick a certificate it thinks matches from the list of one,
+		// we directly supply it the one we have in all cases.
+		tlsConfig.GetClientCertificate = func(_ *tls.CertificateRequestInfo) (*tls.Certificate, error) {
+			log.L(ctx).Debugf("Supplying client certificate")
+			return configuredCert, nil
+		}
+		tlsConfig.GetCertificate = func(_ *tls.ClientHelloInfo) (*tls.Certificate, error) {
+			log.L(ctx).Debugf("Supplying server certificate")
+			return configuredCert, nil
+		}
 	}
 
 	if tlsType == ServerType {