🐛 bug: defer TLS handler setup until client CA validation succeeds

Agent-Logs-Url: https://github.com/gofiber/fiber/sessions/c36b8ed0-2ea6-43fd-9fc1-8b2e5ff74bf1

Co-authored-by: gaby <835733+gaby@users.noreply.github.com>

Author: Copilot

listen.go

@@ -187,6 +187,7 @@ func (app *App) Listen(addr string, config ...ListenConfig) error {
 
 	// Configure TLS
 	var tlsConfig *tls.Config
+	var tlsHandler *TLSHandler
 	if cfg.TLSConfig != nil {
 		tlsConfig = cfg.TLSConfig.Clone()
 	} else {
@@ -199,7 +200,7 @@ func (app *App) Listen(addr string, config ...ListenConfig) error {
 				return fmt.Errorf("tls: cannot load TLS key pair from certFile=%q and keyFile=%q: %w", cfg.CertFile, cfg.CertKeyFile, err)
 			}
 
-			tlsHandler := &TLSHandler{}
+			tlsHandler = &TLSHandler{}
 			tlsConfig = &tls.Config{ //nolint:gosec // This is a user input
 				MinVersion: cfg.TLSMinVersion,
 				Certificates: []tls.Certificate{
@@ -208,8 +209,6 @@ func (app *App) Listen(addr string, config ...ListenConfig) error {
 				GetCertificate: tlsHandler.GetClientInfo,
 			}
 
-			// Attach the tlsHandler to the config
-			app.SetTLSHandler(tlsHandler)
 		case cfg.AutoCertManager != nil:
 			tlsConfig = &tls.Config{ //nolint:gosec // This is a user input
 				MinVersion:     cfg.TLSMinVersion,
@@ -223,6 +222,11 @@ func (app *App) Listen(addr string, config ...ListenConfig) error {
 			if err := applyClientCert(tlsConfig, cfg.CertClientFile); err != nil {
 				return err
 			}
+
+			if tlsHandler != nil {
+				// Attach the tlsHandler to the config
+				app.SetTLSHandler(tlsHandler)
+			}
 		}
 
 		if tlsConfig != nil && cfg.TLSConfigFunc != nil {

listen_test.go

@@ -514,6 +514,16 @@ func Test_Listen_AutoCert_WithClientCertFile(t *testing.T) {
 			t.Parallel()
 
 			app := New()
+			done := make(chan struct{})
+			defer close(done)
+
+			go func() {
+				select {
+				case <-done:
+				case <-time.After(time.Second):
+					assert.NoError(t, app.Shutdown())
+				}
+			}()
 
 			err := app.Listen(":0", ListenConfig{
 				CertClientFile: tc.clientCAPath,
@@ -527,6 +537,27 @@ func Test_Listen_AutoCert_WithClientCertFile(t *testing.T) {
 	}
 }
 
+func Test_Listen_ClientCertErrorDoesNotSetTLSHandler(t *testing.T) {
+	t.Parallel()
+
+	invalidClientCAPath := filepath.Join(t.TempDir(), "client-ca.pem")
+	require.NoError(t, os.WriteFile(invalidClientCAPath, []byte("not a pem"), 0o600))
+
+	app := New()
+
+	err := app.Listen(":0", ListenConfig{
+		CertFile:       "./.github/testdata/ssl.pem",
+		CertKeyFile:    "./.github/testdata/ssl.key",
+		CertClientFile: invalidClientCAPath,
+	})
+	require.ErrorContains(t, err, filepath.Base(invalidClientCAPath))
+
+	c := app.AcquireCtx(&fasthttp.RequestCtx{})
+	defer app.ReleaseCtx(c)
+
+	require.Nil(t, c.ClientHelloInfo())
+}
+
 // go test -run Test_Listen_ListenerAddrFunc
 func Test_Listen_ListenerAddrFunc(t *testing.T) {
 	var network string