bug: return initialConfig instead of empty tlsConfig

When TLS certificate reloading functionality was implemented and released in Dex 2.37.0, added newTLSReloader() returns empty tlsConfig and discards the provided, already configured tlsConfig. Server's with empty tlsConfig override Go's sensible defaults, and starts serving Dex over TLS 1.0 and TLS 1.1 in addition to Go's defaults TLS 1.2+. TLS 1.0 and 1.1 are long deprecated and vulnerable, making this a security risk. Server and its secrets are vulnerable to attackers.
2 years ago · 8cf9094871
1 changed files with 3 additions and 4 deletions
--- a/cmd/dex/serve.go
+++ b/cmd/dex/serve.go
@ -647,17 +647,16 @@ func newTLSReloader(logger log.Logger, certFile, keyFile, caFile string, baseCon
 		}
 	}()

-	conf := &tls.Config{}
 	// https://pkg.go.dev/crypto/tls#baseConfig
 	// Server configurations must set one of Certificates, GetCertificate or GetConfigForClient.
 	if caFile != "" {
 		// grpc will use this via tls.Server for mTLS
-		conf.GetConfigForClient = func(chi *tls.ClientHelloInfo) (*tls.Config, error) { return ptr.Load(), nil }
+		initialConfig.GetConfigForClient = func(chi *tls.ClientHelloInfo) (*tls.Config, error) { return ptr.Load(), nil }
 	} else {
 		// net/http only uses Certificates or GetCertificate
-		conf.GetCertificate = func(chi *tls.ClientHelloInfo) (*tls.Certificate, error) { return &ptr.Load().Certificates[0], nil }
+		initialConfig.GetCertificate = func(chi *tls.ClientHelloInfo) (*tls.Certificate, error) { return &ptr.Load().Certificates[0], nil }
 	}
-	return conf, nil
+	return initialConfig, nil
 }

 // loadTLSConfig loads the given file paths into a [tls.Config]