Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

net/http: ListenAndServe difficult if certificates are not on disk #12117

Closed
abligh opened this issue Aug 11, 2015 · 2 comments
Closed

net/http: ListenAndServe difficult if certificates are not on disk #12117

abligh opened this issue Aug 11, 2015 · 2 comments
Labels
FrozenDueToAge

Comments

@abligh
Copy link

abligh commented Aug 11, 2015

server.ListenAndServe assumes the certificates are on disk. This is not always the case, for instance if the certificates are held encrypted in a database. In such a case it is undesirable to serialize the decrypted certificates to disk for obvious reasons.

It looks like it would be possible to work around this as follows:

server := &http.Server{
    Addr: listen,
    TLSConfig: tlsConfig,
    Handler: router,
}
server.ListenAndServeTLS("", ""))

where tlsConfig already has the certificates added to it. Unfortunately this does not work as ListenAndServerTLS unconditionally stomps over the Certificates member even when it is already provided within the supplied TLSConfig, and even if an empty string is passed.

The first thing I would suggest is that if the TLSConfig has a non-empty Certificates member, it is not overwritten.

To get around this it would be possible to simply copy/paste ListenAndServeTLS. Unfortunately, it uses the non-exported struct tcpKeepAliveListener, which is rather important for https connections using keep-alives. This thus needs to be copied too. This is a useful bit of code which could be exported from net rather than kept private here.

The second thing I would suggest is that tlsKepAliveListener is exported from net, and ListenAndServerTLS (and friends) use this exported class instead.
@bradfitz
Copy link
Contributor

I think this was already done in f81f6d6

Regardless, ListenAndServeTLS is not magic. It's a few lines of helper code and you're welcome and encouraged to adapt it as needed for specific scenarios.

@bradfitz bradfitz changed the title http server.ListenAndServe difficult if certificates are not on disk net/http: ListenAndServe difficult if certificates are not on disk Aug 11, 2015
@abligh
Copy link
Author

abligh commented Aug 11, 2015

@bradfitz thanks; I'd missed that (still on 1.4 here). It doesn't address the second point though in that it would still be useful to export tlsKeepAliveListener as it would make adaption of the existing code rather easier.

@golang golang locked and limited conversation to collaborators Aug 10, 2016
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bradfitz @abligh @gopherbot