Use non-nil certificate in GetClientCertificate

The docs for `GetClientCertificate` specifies: GetClientCertificate must return a non-nil Certificate. If Certificate.Certificate is empty then no certificate will be sent to the server. If a nil certificate is sent when the server requests a client certificate, the client will return an error. Instead, return an empty certificate from GetClientCertificate and the server may choose to how to handle the lack of a client certificate. This is needed primarily for when the server is using RequestClientCert, which requests a certificate, but does not require the client to send one. Signed-off-by: Chance Zibolski <chance.zibolski@gmail.com>
cilium · Jul 13, 2023 · 1e08c17 · 1e08c17
1 parent 767f7f2
commit 1e08c17
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/cmd/common/conn/tls.go b/cmd/common/conn/tls.go
@@ -59,11 +59,12 @@ func grpcOptionTLS(vp *viper.Viper) (grpc.DialOption, error) {
 			return nil, err
 		}
 		cert = &c
+	} else {
+		// GetClientCertificate must return an non-nil certificate
+		cert = &tls.Certificate{}
 	}
-	if cert != nil {
-		tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
-			return cert, nil
-		}
+	tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
+		return cert, nil
 	}
 
 	creds := credentials.NewTLS(&tlsConfig)