Fixed crash on unknown cert

2023-05-23 12:15:06 +02:00 · 2023-05-23 12:15:06 +02:00 · f7107de96b
commit f7107de96b
parent 08b35f6b21
2 changed files with 17 additions and 8 deletions
--- a/src/domain/acme/store.rs
+++ b/src/domain/acme/store.rs
@ -197,7 +197,10 @@ impl rustls::server::ResolvesServerCert for BoxedFSStore {
        let domain = client_hello.server_name()?;

        match self.get_certificate(domain) {
-            Err(GetCertificateError::NotFound) => Ok(None),
+            Err(GetCertificateError::NotFound) => {
+                println!("No cert found for domain {domain}");
+                Ok(None)
+            }
            Err(GetCertificateError::Unexpected(err)) => Err(err),
            Ok((key, cert)) => {
                match rustls::sign::any_supported_type(&key.into()).map_unexpected() {
--- a/src/main.rs
+++ b/src/main.rs
@ -9,9 +9,8 @@ use tokio::time;

 use std::convert::Infallible;
 use std::net::SocketAddr;
-use std::path;
 use std::str::FromStr;
-use std::sync;
+use std::{future, path, sync};

 use domiply::domain::acme::manager::Manager as AcmeManager;
 use domiply::domain::manager::Manager;
@ -298,10 +297,7 @@ async fn main() {
                let canceller = canceller.clone();
                let server_config: tokio_rustls::TlsAcceptor = sync::Arc::new(
                    rustls::server::ServerConfig::builder()
-                        .with_safe_default_cipher_suites()
-                        .with_safe_default_kx_groups()
-                        .with_safe_default_protocol_versions()
-                        .unwrap()
+                        .with_safe_defaults()
                        .with_no_client_auth()
                        .with_cert_resolver(sync::Arc::from(https_params.domain_acme_store)),
                )
@ -311,7 +307,17 @@ async fn main() {
                let addr_incoming = hyper::server::conn::AddrIncoming::bind(&addr)
                    .expect("https listen socket created");

-                let incoming = tls_listener::TlsListener::new(server_config, addr_incoming);
+                let incoming =
+                    tls_listener::TlsListener::new(server_config, addr_incoming).filter(|conn| {
+                        if let Err(err) = conn {
+                            println!("Error accepting TLS connection: {:?}", err);
+                            future::ready(false)
+                        } else {
+                            future::ready(true)
+                        }
+                    });
+
+                let incoming = hyper::server::accept::from_stream(incoming);

                println!(
                    "Listening on https://{}:{}",