diff --git a/pkg/transport/listener.go b/pkg/transport/listener.go index 7ce11a3fb..df9a895bb 100644 --- a/pkg/transport/listener.go +++ b/pkg/transport/listener.go @@ -438,7 +438,7 @@ func (info TLSInfo) ClientConfig() (*tls.Config, error) { if info.EmptyCN { hasNonEmptyCN := false cn := "" - tlsutil.NewCert(info.CertFile, info.KeyFile, func(certPEMBlock []byte, keyPEMBlock []byte) (tls.Certificate, error) { + _, err := tlsutil.NewCert(info.CertFile, info.KeyFile, func(certPEMBlock []byte, keyPEMBlock []byte) (tls.Certificate, error) { var block *pem.Block block, _ = pem.Decode(certPEMBlock) cert, err := x509.ParseCertificate(block.Bytes) @@ -451,6 +451,9 @@ func (info TLSInfo) ClientConfig() (*tls.Config, error) { } return tls.X509KeyPair(certPEMBlock, keyPEMBlock) }) + if err != nil { + return nil, err + } if hasNonEmptyCN { return nil, fmt.Errorf("cert has non empty Common Name (%s): %s", cn, info.CertFile) } diff --git a/pkg/transport/listener_test.go b/pkg/transport/listener_test.go index dbded1946..a34d97055 100644 --- a/pkg/transport/listener_test.go +++ b/pkg/transport/listener_test.go @@ -292,14 +292,28 @@ func TestTLSInfoParseFuncError(t *testing.T) { } defer del() - tlsinfo.parseFunc = fakeCertificateParserFunc(tls.Certificate{}, errors.New("fake")) + tests := []struct { + info TLSInfo + }{ + { + info: *tlsinfo, + }, - if _, err = tlsinfo.ServerConfig(); err == nil { - t.Errorf("expected non-nil error from ServerConfig()") + { + info: TLSInfo{CertFile: "", KeyFile: "", TrustedCAFile: tlsinfo.CertFile, EmptyCN: true}, + }, } - if _, err = tlsinfo.ClientConfig(); err == nil { - t.Errorf("expected non-nil error from ClientConfig()") + for i, tt := range tests { + tt.info.parseFunc = fakeCertificateParserFunc(tls.Certificate{}, errors.New("fake")) + + if _, err = tt.info.ServerConfig(); err == nil { + t.Errorf("#%d: expected non-nil error from ServerConfig()", i) + } + + if _, err = tt.info.ClientConfig(); err == nil { + t.Errorf("#%d: expected non-nil error from ClientConfig()", i) + } } }