Fix race codes

common/tls/ech.go

@@ -81,6 +81,19 @@ func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions,
 	return nil
 }
 
+func (c *STDServerConfig) setECHServerConfig(echKey []byte) error {
+	echKeys, err := parseECHKeys(echKey)
+	if err != nil {
+		return err
+	}
+	c.access.Lock()
+	config := c.config.Clone()
+	config.EncryptedClientHelloKeys = echKeys
+	c.config = config
+	c.access.Unlock()
+	return nil
+}
+
 func parseECHKeys(echKey []byte) ([]tls.EncryptedClientHelloKey, error) {
 	block, _ := pem.Decode(echKey)
 	if block == nil || block.Type != "ECH KEYS" {

common/tls/ech_stub.go

@@ -18,6 +18,6 @@ func parseECHServerConfig(ctx context.Context, options option.InboundTLSOptions,
 	return E.New("ECH requires go1.24, please recompile your binary.")
 }
 
-func reloadECHKeys(echKeyPath string, tlsConfig *tls.Config) error {
-	return E.New("ECH requires go1.24, please recompile your binary.")
+func (c *STDServerConfig) setECHServerConfig(echKey []byte) error {
+	panic("unreachable")
 }

common/tls/std_server.go

@@ -163,15 +163,10 @@ func (c *STDServerConfig) certificateUpdated(path string) error {
 		if err != nil {
 			return E.Cause(err, "reload ECH keys from ", c.echKeyPath)
 		}
-		echKeys, err := parseECHKeys(echKey)
+		err = c.setECHServerConfig(echKey)
 		if err != nil {
 			return err
 		}
-		c.access.Lock()
-		config := c.config.Clone()
-		config.EncryptedClientHelloKeys = echKeys
-		c.config = config
-		c.access.Unlock()
 		c.logger.Info("reloaded ECH keys")
 	}
 	return nil