You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
server.ListenAndServe assumes the certificates are on disk. This is not always the case, for instance if the certificates are held encrypted in a database. In such a case it is undesirable to serialize the decrypted certificates to disk for obvious reasons.
It looks like it would be possible to work around this as follows:
where tlsConfig already has the certificates added to it. Unfortunately this does not work as ListenAndServerTLS unconditionally stomps over the Certificates member even when it is already provided within the supplied TLSConfig, and even if an empty string is passed.
The first thing I would suggest is that if the TLSConfig has a non-empty Certificates member, it is not overwritten.
To get around this it would be possible to simply copy/paste ListenAndServeTLS. Unfortunately, it uses the non-exported struct tcpKeepAliveListener, which is rather important for https connections using keep-alives. This thus needs to be copied too. This is a useful bit of code which could be exported from net rather than kept private here.
The second thing I would suggest is that tlsKepAliveListener is exported from net, and ListenAndServerTLS (and friends) use this exported class instead.
The text was updated successfully, but these errors were encountered:
Regardless, ListenAndServeTLS is not magic. It's a few lines of helper code and you're welcome and encouraged to adapt it as needed for specific scenarios.
bradfitz
changed the title
http server.ListenAndServe difficult if certificates are not on disk
net/http: ListenAndServe difficult if certificates are not on disk
Aug 11, 2015
@bradfitz thanks; I'd missed that (still on 1.4 here). It doesn't address the second point though in that it would still be useful to export tlsKeepAliveListener as it would make adaption of the existing code rather easier.
server.ListenAndServe
assumes the certificates are on disk. This is not always the case, for instance if the certificates are held encrypted in a database. In such a case it is undesirable to serialize the decrypted certificates to disk for obvious reasons.It looks like it would be possible to work around this as follows:
where
tlsConfig
already has the certificates added to it. Unfortunately this does not work asListenAndServerTLS
unconditionally stomps over theCertificates
member even when it is already provided within the suppliedTLSConfig
, and even if an empty string is passed.The first thing I would suggest is that if the
TLSConfig
has a non-empty Certificates member, it is not overwritten.To get around this it would be possible to simply copy/paste
ListenAndServeTLS
. Unfortunately, it uses the non-exported structtcpKeepAliveListener
, which is rather important for https connections using keep-alives. This thus needs to be copied too. This is a useful bit of code which could be exported fromnet
rather than kept private here.The second thing I would suggest is that
tlsKepAliveListener
is exported fromnet
, andListenAndServerTLS
(and friends) use this exported class instead.The text was updated successfully, but these errors were encountered: