*: fix TLS cases (#128)

pingcap · Nov 2, 2022 · 73255cd · 73255cd
1 parent b8de341
commit 73255cd
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 3 deletions.
diff --git a/pkg/manager/cert/cert_info.go b/pkg/manager/cert/cert_info.go
@@ -26,6 +26,8 @@ import (
 	"go.uber.org/zap"
 )
 
+var emptyCert = new(tls.Certificate)
+
 // Security configurations don't support dynamically updating now.
 type certInfo struct {
 	cfg         config.TLSConfig
@@ -124,7 +126,12 @@ func (ci *certInfo) customizeTLSConfig(tlsConfig *tls.Config) *tls.Config {
 		}
 	} else {
 		tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
-			return ci.getCertificate(), nil
+			cert := ci.getCertificate()
+			if cert == nil {
+				// GetClientCertificate must return a non-nil Certificate.
+				return emptyCert, nil
+			}
+			return cert, nil
 		}
 		if !tlsConfig.InsecureSkipVerify {
 			tlsConfig.InsecureSkipVerify = true

diff --git a/pkg/proxy/backend/authenticator.go b/pkg/proxy/backend/authenticator.go
@@ -183,7 +183,7 @@ func (auth *Authenticator) handshakeFirstTime(logger *zap.Logger, clientIO *pnet
 	resp.AuthPlugin = "auth_unknown_plugin"
 	resp.Capability = auth.capability
 
-	if backendCapability&pnet.ClientSSL != 0 {
+	if backendCapability&pnet.ClientSSL != 0 && backendTLSConfig != nil {
 		resp.Capability |= mysql.ClientSSL
 		pkt = pnet.MakeHandshakeResponse(resp)
 		// write SSL Packet
@@ -294,7 +294,7 @@ func (auth *Authenticator) writeAuthHandshake(backendIO *pnet.PacketIO, authData
 	}
 	data := pnet.MakeHandshakeResponse(resp)
 
-	if tls {
+	if tls && auth.backendTLSConfig != nil {
 		// write SSL req
 		if err := backendIO.WritePacket(data[:32], true); err != nil {
 			return err