+ if len(verifiedChains) > 0 {
+ caHashes := make(map[string]struct{})
+ for _, certs := range verifiedChains {
+ for _, cert := range certs {
+ caHashes[spkiHash(cert)] = struct{}{}
+ }
+ }
+ var restrictedHosts []string
+ caches.RestrictedM.RLock()
+ for h := range caHashes {
+ restrictedHosts = append(restrictedHosts, caches.Restricted[h]...)
+ }
+ caches.RestrictedM.RUnlock()
+ if len(restrictedHosts) > 0 {
+ for _, h := range restrictedHosts {
+ if host == h || strings.HasSuffix(host, "."+h) {
+ goto HostIsNotRestricted
+ }
+ }
+ fifos.LogCert <- fmt.Sprintf("Restricted\t%s", host)
+ return ErrRejected{host}
+ }
+ }
+HostIsNotRestricted: