From f7107de96b26fa3e9b4ac1607300ed6fd196dca2 Mon Sep 17 00:00:00 2001
From: Brian Picciano <mediocregopher@gmail.com>
Date: Tue, 23 May 2023 12:15:06 +0200
Subject: [PATCH] Fixed crash on unknown cert

---
 src/domain/acme/store.rs |  5 ++++-
 src/main.rs              | 20 +++++++++++++-------
 2 files changed, 17 insertions(+), 8 deletions(-)

diff --git a/src/domain/acme/store.rs b/src/domain/acme/store.rs
index 1f4097c..b975347 100644
--- a/src/domain/acme/store.rs
+++ b/src/domain/acme/store.rs
@@ -197,7 +197,10 @@ impl rustls::server::ResolvesServerCert for BoxedFSStore {
         let domain = client_hello.server_name()?;
 
         match self.get_certificate(domain) {
-            Err(GetCertificateError::NotFound) => Ok(None),
+            Err(GetCertificateError::NotFound) => {
+                println!("No cert found for domain {domain}");
+                Ok(None)
+            }
             Err(GetCertificateError::Unexpected(err)) => Err(err),
             Ok((key, cert)) => {
                 match rustls::sign::any_supported_type(&key.into()).map_unexpected() {
diff --git a/src/main.rs b/src/main.rs
index a6734b9..58a5bef 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -9,9 +9,8 @@ use tokio::time;
 
 use std::convert::Infallible;
 use std::net::SocketAddr;
-use std::path;
 use std::str::FromStr;
-use std::sync;
+use std::{future, path, sync};
 
 use domiply::domain::acme::manager::Manager as AcmeManager;
 use domiply::domain::manager::Manager;
@@ -298,10 +297,7 @@ async fn main() {
                 let canceller = canceller.clone();
                 let server_config: tokio_rustls::TlsAcceptor = sync::Arc::new(
                     rustls::server::ServerConfig::builder()
-                        .with_safe_default_cipher_suites()
-                        .with_safe_default_kx_groups()
-                        .with_safe_default_protocol_versions()
-                        .unwrap()
+                        .with_safe_defaults()
                         .with_no_client_auth()
                         .with_cert_resolver(sync::Arc::from(https_params.domain_acme_store)),
                 )
@@ -311,7 +307,17 @@ async fn main() {
                 let addr_incoming = hyper::server::conn::AddrIncoming::bind(&addr)
                     .expect("https listen socket created");
 
-                let incoming = tls_listener::TlsListener::new(server_config, addr_incoming);
+                let incoming =
+                    tls_listener::TlsListener::new(server_config, addr_incoming).filter(|conn| {
+                        if let Err(err) = conn {
+                            println!("Error accepting TLS connection: {:?}", err);
+                            future::ready(false)
+                        } else {
+                            future::ready(true)
+                        }
+                    });
+
+                let incoming = hyper::server::accept::from_stream(incoming);
 
                 println!(
                     "Listening on https://{}:{}",