GuanM/hysteria
1
0
Fork 0
mirror of https://github.com/cedar2025/hysteria.git synced 2025-09-11 10:54:33 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

fix: check if cert-key is loadable on server start

Browse Source 
close: #1040
This commit is contained in:
Haruue
2024-04-15 19:31:23 +08:00
parent 234dc4508b
commit 9752347073
1 changed files with 14 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
app/cmd/server.go
View File

@@ -10,6 +10,7 @@ import (
"net/http" "net/http"
"net/http/httputil" "net/http/httputil"
"net/url" "net/url"
"os"
"strconv" "strconv"
"strings" "strings"
"time" "time"
@@ -254,6 +255,19 @@ func (c *serverConfig) fillTLSConfig(hyConfig *server.Config) error {
if c.TLS.Cert == "" || c.TLS.Key == "" { if c.TLS.Cert == "" || c.TLS.Key == "" {
return configError{Field: "tls", Err: errors.New("empty cert or key path")} return configError{Field: "tls", Err: errors.New("empty cert or key path")}
} }
// Load cert-key pair here for early error reporting (especially permission denied)
certPEMBlock, err := os.ReadFile(c.TLS.Cert)
if err != nil {
return configError{Field: "tls.cert", Err: err}
}
keyPEMBlock, err := os.ReadFile(c.TLS.Key)
if err != nil {
return configError{Field: "tls.key", Err: err}
}
_, err = tls.X509KeyPair(certPEMBlock, keyPEMBlock)
if err != nil {
return configError{Field: "tls", Err: fmt.Errorf("invalid cert-key pair: %w", err)}
}
// Use GetCertificate instead of Certificates so that // Use GetCertificate instead of Certificates so that
// users can update the cert without restarting the server. // users can update the cert without restarting the server.
hyConfig.TLSConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) { hyConfig.TLSConfig.GetCertificate = func(info *tls.ClientHelloInfo) (*tls.Certificate, error) {