From 10d547f52866363694538bb379aa36b3be1092a1 Mon Sep 17 00:00:00 2001
From: Chung-Ting Huang <chungting@cloudflare.com>
Date: Tue, 20 Nov 2018 14:34:56 -0600
Subject: [PATCH] TUN-1209: TLS Config Certificates and GetCertificate can both
 be set

---
 tlsconfig/tlsconfig.go | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/tlsconfig/tlsconfig.go b/tlsconfig/tlsconfig.go
index 8b402fce..32090785 100644
--- a/tlsconfig/tlsconfig.go
+++ b/tlsconfig/tlsconfig.go
@@ -24,18 +24,23 @@ type TLSParameters struct {
 // GetConfig returns a TLS configuration according to the Config set by the user.
 func GetConfig(p *TLSParameters) (*tls.Config, error) {
 	tlsconfig := &tls.Config{}
-	if p.GetCertificate != nil {
-		tlsconfig.GetCertificate = p.GetCertificate.Cert
-		tlsconfig.BuildNameToCertificate()
-	} else if p.Cert != "" && p.Key != "" {
+	if p.Cert != "" && p.Key != "" {
 		cert, err := tls.LoadX509KeyPair(p.Cert, p.Key)
 		if err != nil {
 			return nil, errors.Wrap(err, "Error parsing X509 key pair")
 		}
 		tlsconfig.Certificates = []tls.Certificate{cert}
+		// BuildNameToCertificate parses Certificates and builds NameToCertificate from common name
+		// and SAN fields of leaf certificates
 		tlsconfig.BuildNameToCertificate()
 	}
 
+	if p.GetCertificate != nil {
+		// GetCertificate is called when client supplies SNI info or Certificates is empty.
+		// Order of retrieving certificate is GetCertificate, NameToCertificate and lastly first element of Certificates
+		tlsconfig.GetCertificate = p.GetCertificate.Cert
+	}
+
 	if len(p.ClientCAs) > 0 {
 		// set of root certificate authorities that servers use if required to verify a client certificate
 		// by the policy in ClientAuth