Commits on Jul 14, 2023

1. certloader: Correctly support RequestClientCert in WatchedClientConfig …

   Only configure GetClientCertificate if client keypair is configured,
   allowing servers to Request ClientCertificates without requiring them.
   
   In docs for `GetClientCertificate` it specifies:
   
   >  GetClientCertificate must return a non-nil Certificate. If
   >  Certificate.Certificate is empty then no certificate will be sent to the
   >  server.
   
   If a nil certificate is sent when the server requests a client
   certificate, the client will return an error. Instead, only configure
   GetClientCertificate if certificates are provided and the server may
   choose to how to handle the lack of a client certificate.
   
   This is needed primarily for when the server is using RequestClientCert,
   which requests a certificate, but does not require the client to send
   one.
   
   Previously, you would see this log message:
   
   ```
   transport: authentication handshake failed: mTLS client certificate requested, but not provided
   ```
   
   Now, if a server requires a client certificate it should reject the TLS
   connection and the client will receive the error from the server.
   
   Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com>

   

   chancez committed Jul 14, 2023
   Configuration menu

   • View commit details
   • Copy full SHA for 2d4e4d9
   • Browse repository at this point

   Copy the full SHA

   2d4e4d9 View commit details

   Browse the repository at this point in the history