Skip to content

Commit 2d2f417

Browse files
authored
advancedTLS: unset a deprecated field after copying it (#7239)
1 parent 2174ea6 commit 2d2f417

File tree

2 files changed

+22
-0
lines changed

2 files changed

+22
-0
lines changed

security/advancedtls/advancedtls.go

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -315,6 +315,9 @@ func (o *Options) clientConfig() (*tls.Config, error) {
315315
// the setting int the right place.
316316
if o.RootOptions.RootCACerts != nil {
317317
o.RootOptions.RootCertificates = o.RootOptions.RootCACerts
318+
// There are additional checks that only 1 field of `RootOptions` is
319+
// non-nil, so set the deprecated field to nil
320+
o.RootOptions.RootCACerts = nil
318321
}
319322
if o.VerificationType == SkipVerification && o.AdditionalPeerVerification == nil {
320323
return nil, fmt.Errorf("client needs to provide custom verification mechanism if choose to skip default verification")
@@ -425,6 +428,9 @@ func (o *Options) serverConfig() (*tls.Config, error) {
425428
// the setting int the right place.
426429
if o.RootOptions.RootCACerts != nil {
427430
o.RootOptions.RootCertificates = o.RootOptions.RootCACerts
431+
// There are additional checks that only 1 field of `RootOptions` is
432+
// non-nil, so set the deprecated field to nil
433+
o.RootOptions.RootCACerts = nil
428434
}
429435
if o.RequireClientCert && o.VerificationType == SkipVerification && o.AdditionalPeerVerification == nil {
430436
return nil, fmt.Errorf("server needs to provide custom verification mechanism if choose to skip default verification, but require client certificate(s)")

security/advancedtls/advancedtls_test.go

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -188,6 +188,13 @@ func (s) TestClientOptionsConfigSuccessCases(t *testing.T) {
188188
MinVersion: tls.VersionTLS12,
189189
MaxVersion: tls.VersionTLS13,
190190
},
191+
{
192+
desc: "Deprecated option is set and forwarded",
193+
clientVerificationType: CertVerification,
194+
RootOptions: RootCertificateOptions{
195+
RootCACerts: x509.NewCertPool(),
196+
},
197+
},
191198
}
192199
for _, test := range tests {
193200
test := test
@@ -351,6 +358,15 @@ func (s) TestServerOptionsConfigSuccessCases(t *testing.T) {
351358
MinVersion: tls.VersionTLS12,
352359
MaxVersion: tls.VersionTLS13,
353360
},
361+
{
362+
desc: "Deprecated option is set and forwarded",
363+
IdentityOptions: IdentityCertificateOptions{
364+
Certificates: []tls.Certificate{},
365+
},
366+
RootOptions: RootCertificateOptions{
367+
RootCACerts: x509.NewCertPool(),
368+
},
369+
},
354370
}
355371
for _, test := range tests {
356372
test := test

0 commit comments

Comments
 (0)