修复客户端CA证书设置不起作用的Bug

2025-12-30 06:46:36 +08:00 · 2023-02-09 11:31:33 +08:00
parent f1d4087658
commit 3acd00befa
2 changed files with 14 additions and 0 deletions
--- a/pkg/serverconfigs/sslconfigs/ssl_cert_config.go
+++ b/pkg/serverconfigs/sslconfigs/ssl_cert_config.go
@@ -35,6 +35,7 @@ type SSLCertConfig struct {
 	OCSPError     string `yaml:"ocspError" json:"ocspError"`

 	cert      *tls.Certificate
+	caCerts   []*x509.Certificate
 	timeBegin time.Time
 	timeEnd   time.Time
 }
@@ -44,6 +45,8 @@ func (this *SSLCertConfig) Init() error {
 	var commonNames []string // 发行组织
 	var dnsNames []string    // 域名

+	this.caCerts = []*x509.Certificate{}
+
 	// 分析证书
 	if this.IsCA { // CA证书
 		var data = this.CertData
@@ -68,6 +71,7 @@ func (this *SSLCertConfig) Init() error {
 			if c == nil {
 				return errors.New("no available certificates in file")
 			}
+			this.caCerts = append(this.caCerts, c)

 			for _, dnsName := range c.DNSNames {
 				if !lists.ContainsString(dnsNames, dnsName) {
@@ -141,6 +145,10 @@ func (this *SSLCertConfig) CertObject() *tls.Certificate {
 	return this.cert
 }

+func (this *SSLCertConfig) CACerts() []*x509.Certificate {
+	return this.caCerts
+}
+
 // TimeBegin 开始时间
 func (this *SSLCertConfig) TimeBegin() time.Time {
 	return this.timeBegin
--- a/pkg/serverconfigs/sslconfigs/ssl_policy.go
+++ b/pkg/serverconfigs/sslconfigs/ssl_policy.go
@@ -71,6 +71,8 @@ func (this *SSLPolicy) Init() error {
 	}

 	// CA certs
+	this.clientCAPool = x509.NewCertPool()
+
 	for _, cert := range this.ClientCACerts {
 		err := cert.Init()
 		if err != nil {
@@ -80,6 +82,10 @@ func (this *SSLPolicy) Init() error {
 		for _, dnsName := range cert.DNSNames {
 			this.nameMapping[dnsName] = cert.CertObject()
 		}
+
+		for _, caCert := range cert.CACerts() {
+			this.clientCAPool.AddCert(caCert)
+		}
 	}

 	// min version