search

golang / go

The Go programming language
https://go.dev
BSD 3-Clause "New" or "Revised" License
122.7k stars 17.5k forks source link

net/http/httptest: Server does not check GetCertificate #63812

Open mitar opened 10 months ago

mitar commented 10 months ago

What version of Go are you using (go version)?

go version go1.21.3 linux/amd64

Does this issue reproduce with the latest release?

Yes.

What operating system and processor architecture are you using (go env)?

go env Output
$ go env
GO111MODULE=''
GOARCH='amd64'
GOBIN=''
GOCACHE='/home/mitar/.cache/go-build'
GOENV='/home/mitar/.config/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='amd64'
GOHOSTOS='linux'
GOINSECURE=''
GOMODCACHE='/home/mitar/.go/pkg/mod'
GONOPROXY=''
GONOSUMDB=''
GOOS='linux'
GOPATH='/home/mitar/.go'
GOPRIVATE=''
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/usr/local/go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/usr/local/go/pkg/tool/linux_amd64'
GOVCS=''
GOVERSION='go1.21.3'
GCCGO='/usr/bin/gccgo'
GOAMD64='v1'
AR='ar'
CC='gcc'
CXX='g++'
CGO_ENABLED='1'
GOMOD='/dev/null'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -m64 -pthread -Wl,--no-gc-sections -fmessage-length=0 -ffile-prefix-map=/tmp/go-build488527063=/tmp/go-build -gno-record-gcc-switches'

What did you do?

I am trying to test a http.Server instance with httptest's Server:

    ts := httptest.NewUnstartedServer(nil)
    ts.EnableHTTP2 = true
    ts.Config = server
    ts.Config.Handler = http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
        w.WriteHeader(http.StatusOK)
    })
    ts.TLS = server.TLSConfig.Clone()
    ts.StartTLS()

I want to check that server's TLS configuration works. Server's TLS configuration uses GetCertificate

What did you expect to see?

That once I call StartTLS is called, GetCertificate is called to obtain the certificate to configure the testing server and testing client.

What did you see instead?

StartTLS ignores and never calls GetCertificate but instead configures testing server and testing client to use testing certificate.

Discussion

I can call something like:


    cert, _ := ts.TLS.GetCertificate(nil) // or some other relevant ClientHelloInfo for 127.0.0.1
    ts.TLS.Certificates = []tls.Certificate{*cert}

before calling StartTLS. But ideally that should be called by StartTLS. This is documented in tls.Config:

    // Server configurations must set one of Certificates, GetCertificate or
    // GetConfigForClient.

Currently only Certificates is checked, but GetCertificate or GetConfigForClient are ignored.

My motivation is to do a test with golang.org/x/crypto/acme/autocert serving as manager against Pebble to test that http.Server's configuration and everything works correctly.

rittneje commented 10 months ago

The source of the issue is here: https://github.com/golang/go/blob/883f062fc0a097bf561030ad453fd3e300896975/src/net/http/httptest/server.go#L167-L169

I guess it could also check if s.TLS.GetCertificate == nil. But then I don't know what the Certificate method is supposed to return in that case.

I'll also note that this behavior of httptest.Server seems to be completely undocumented.

mitar commented 10 months ago

I thnk GetCertificate should be called with 127.0.0.1 (or more precisely s.Listener.Addr()) as a parameter. That is what it gets set in s.URL. That can then be stored in s.certificate.

rittneje commented 10 months ago

GetCertificate takes an entire ClientHelloInfo, not just a hostname.

mitar commented 10 months ago

@rittneje, yes, I know. What I mean that it should be a dummy ClientHelloInfo with s.Listener.Addr().