|
@@ -743,14 +743,22 @@ func (conf *Config) Operators(oc map[string]*OperClass) (map[string]*Oper, error
|
743
|
743
|
return operators, nil
|
744
|
744
|
}
|
745
|
745
|
|
746
|
|
-func loadTlsConfig(config TLSListenConfig) (tlsConfig *tls.Config, err error) {
|
|
746
|
+func loadTlsConfig(config TLSListenConfig, webSocket bool) (tlsConfig *tls.Config, err error) {
|
747
|
747
|
cert, err := tls.LoadX509KeyPair(config.Cert, config.Key)
|
748
|
748
|
if err != nil {
|
749
|
749
|
return nil, ErrInvalidCertKeyPair
|
750
|
750
|
}
|
|
751
|
+ clientAuth := tls.RequestClientCert
|
|
752
|
+ if webSocket {
|
|
753
|
+ // if Chrome receives a server request for a client certificate
|
|
754
|
+ // on a websocket connection, it will immediately disconnect:
|
|
755
|
+ // https://bugs.chromium.org/p/chromium/issues/detail?id=329884
|
|
756
|
+ // work around this behavior:
|
|
757
|
+ clientAuth = tls.NoClientCert
|
|
758
|
+ }
|
751
|
759
|
result := tls.Config{
|
752
|
760
|
Certificates: []tls.Certificate{cert},
|
753
|
|
- ClientAuth: tls.RequestClientCert,
|
|
761
|
+ ClientAuth: clientAuth,
|
754
|
762
|
}
|
755
|
763
|
return &result, nil
|
756
|
764
|
}
|
|
@@ -771,7 +779,7 @@ func (conf *Config) prepareListeners() (err error) {
|
771
|
779
|
return fmt.Errorf("%s is configured as a STS-only listener, but STS is disabled", addr)
|
772
|
780
|
}
|
773
|
781
|
if block.TLS.Cert != "" {
|
774
|
|
- tlsConfig, err := loadTlsConfig(block.TLS)
|
|
782
|
+ tlsConfig, err := loadTlsConfig(block.TLS, block.WebSocket)
|
775
|
783
|
if err != nil {
|
776
|
784
|
return err
|
777
|
785
|
}
|