|
@@ -8,6 +8,7 @@ package irc
|
8
|
8
|
import (
|
9
|
9
|
"bytes"
|
10
|
10
|
"crypto/tls"
|
|
11
|
+ "crypto/x509"
|
11
|
12
|
"errors"
|
12
|
13
|
"fmt"
|
13
|
14
|
"io"
|
|
@@ -846,7 +847,7 @@ func (conf *Config) Operators(oc map[string]*OperClass) (map[string]*Oper, error
|
846
|
847
|
}
|
847
|
848
|
|
848
|
849
|
func loadTlsConfig(config TLSListenConfig, webSocket bool) (tlsConfig *tls.Config, err error) {
|
849
|
|
- cert, err := tls.LoadX509KeyPair(config.Cert, config.Key)
|
|
850
|
+ cert, err := loadCertWithLeaf(config.Cert, config.Key)
|
850
|
851
|
if err != nil {
|
851
|
852
|
return nil, &CertKeyError{Err: err}
|
852
|
853
|
}
|
|
@@ -865,6 +866,20 @@ func loadTlsConfig(config TLSListenConfig, webSocket bool) (tlsConfig *tls.Confi
|
865
|
866
|
return &result, nil
|
866
|
867
|
}
|
867
|
868
|
|
|
869
|
+func loadCertWithLeaf(certFile, keyFile string) (cert tls.Certificate, err error) {
|
|
870
|
+ // LoadX509KeyPair: "On successful return, Certificate.Leaf will be nil because
|
|
871
|
+ // the parsed form of the certificate is not retained." tls.Config:
|
|
872
|
+ // "Note: if there are multiple Certificates, and they don't have the
|
|
873
|
+ // optional field Leaf set, certificate selection will incur a significant
|
|
874
|
+ // per-handshake performance cost."
|
|
875
|
+ cert, err = tls.LoadX509KeyPair(certFile, keyFile)
|
|
876
|
+ if err != nil {
|
|
877
|
+ return
|
|
878
|
+ }
|
|
879
|
+ cert.Leaf, err = x509.ParseCertificate(cert.Certificate[0])
|
|
880
|
+ return
|
|
881
|
+}
|
|
882
|
+
|
868
|
883
|
// prepareListeners populates Config.Server.trueListeners
|
869
|
884
|
func (conf *Config) prepareListeners() (err error) {
|
870
|
885
|
if len(conf.Server.Listeners) == 0 {
|