net/http: don't always require certFile, keyFile in Server.ListenAndServerTLS

The ListenAndServerTLS function still requires the certFile and keyFile, but the Server.ListenAndServerTLS method doesn't need to require the certFile and keyFile if the Server.TLSConfig.Certificates are already populated. Fixes #8599 Change-Id: Id2e3433732f93e2619bfd78891f775d89f1d651e Reviewed-on: https://go-review.googlesource.com/11413Reviewed-by: Andrew Gerrand <adg@golang.org>

net/http: don't always require certFile, keyFile in Server.ListenAndServerTLS
The ListenAndServerTLS function still requires the certFile and keyFile, but the Server.ListenAndServerTLS method doesn't need to require the certFile and keyFile if the Server.TLSConfig.Certificates are already populated. Fixes #8599 Change-Id: Id2e3433732f93e2619bfd78891f775d89f1d651e Reviewed-on: https://go-review.googlesource.com/11413Reviewed-by: Andrew Gerrand <adg@golang.org>
f81f6d6e · Brad Fitzpatrick · 2917ab20 · f81f6d6e
Commit f81f6d6e authored Jun 24, 2015 by Brad Fitzpatrick
Hide whitespace changes
Inline Side-by-side

Showing with 13 additions and 10 deletions

src/net/http/server.go src/net/http/server.go +13 -10

No files found.
--- a/src/net/http/server.go
+++ b/src/net/http/server.go
@@ -1868,7 +1868,7 @@ func ListenAndServe(addr string, handler Handler) error {
 // expects HTTPS connections. Additionally, files containing a certificate and
 // matching private key for the server must be provided. If the certificate
 // is signed by a certificate authority, the certFile should be the concatenation
-// of the server's certificate followed by the CA's certificate.
+// of the server's certificate, any intermediates, and the CA's certificate.
 //
 // A trivial example server is:
 //
@@ -1900,10 +1900,11 @@ func ListenAndServeTLS(addr string, certFile string, keyFile string, handler Han
 // ListenAndServeTLS listens on the TCP network address srv.Addr and
 // then calls Serve to handle requests on incoming TLS connections.
 //
-// Filenames containing a certificate and matching private key for
-// the server must be provided. If the certificate is signed by a
-// certificate authority, the certFile should be the concatenation
-// of the server's certificate followed by the CA's certificate.
+// Filenames containing a certificate and matching private key for the
+// server must be provided if the Server's TLSConfig.Certificates is
+// not populated. If the certificate is signed by a certificate
+// authority, the certFile should be the concatenation of the server's
+// certificate, any intermediates, and the CA's certificate.
 //
 // If srv.Addr is blank, ":https" is used.
 func (srv *Server) ListenAndServeTLS(certFile, keyFile string) error {
@@ -1919,11 +1920,13 @@ func (srv *Server) ListenAndServeTLS(certFile, keyFile string) error {
 		config.NextProtos = []string{"http/1.1"}
 	}

-	var err error
-	config.Certificates = make([]tls.Certificate, 1)
-	config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile)
-	if err != nil {
-		return err
+	if len(config.Certificates) == 0 || certFile != "" || keyFile != "" {
+		var err error
+		config.Certificates = make([]tls.Certificate, 1)
+		config.Certificates[0], err = tls.LoadX509KeyPair(certFile, keyFile)
+		if err != nil {
+			return err
+		}
 	}

 	ln, err := net.Listen("tcp", addr)