forks/molly-brown
1
0
Fork 0
Code Releases Activity

Ensure supplied TLS certificate is valid for configured hostname.

Browse source
This commit is contained in:
Solderpunk 2023-02-23 19:47:14 +01:00
parent d67f896b84
commit 800c181668
1 changed files with 32 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

32
launch.go
View file

@ -2,6 +2,9 @@ package main
import ( import (
"crypto/tls" "crypto/tls"
"crypto/x509"
"encoding/pem"
"io"
"log" "log"
"os" "os"
"os/signal" "os/signal"
@ -49,6 +52,35 @@ func launch(config Config, privInfo userInfo) int {
log.Println("Refusing to use world-readable TLS key file " + config.KeyPath) log.Println("Refusing to use world-readable TLS key file " + config.KeyPath)
return 1 return 1
} }
// Check certificate hostname matches server hostname
info, err = os.Stat(config.CertPath)
if err != nil {
log.Println("Error opening TLS certificate file: " + err.Error())
return 1
}
certFile, err := os.Open(config.CertPath)
if err != nil {
log.Println("Error opening TLS certificate file: " + err.Error())
return 1
}
certBytes, err := io.ReadAll(certFile)
if err != nil {
log.Println("Error reading TLS certificate file: " + err.Error())
return 1
}
certDer, _ := pem.Decode(certBytes)
if certDer == nil {
log.Println("Error decoding TLS certificate file: " + err.Error())
return 1
}
certx509, err := x509.ParseCertificate(certDer.Bytes)
err = certx509.VerifyHostname(config.Hostname)
if err != nil {
log.Println("Invalid TLS certificate: " + err.Error())
return 1
}
// Load certificate and private key
cert, err := tls.LoadX509KeyPair(config.CertPath, config.KeyPath) cert, err := tls.LoadX509KeyPair(config.CertPath, config.KeyPath)
if err != nil { if err != nil {
log.Println("Error loading TLS keypair: " + err.Error()) log.Println("Error loading TLS keypair: " + err.Error())