Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
C
caddy
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
caddy
Commits
1889049e
Commit
1889049e
authored
Oct 19, 2017
by
Craig Peterson
Committed by
GitHub
Oct 19, 2017
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'master' into macros
parents
68a495f1
a2db3403
Changes
3
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
29 additions
and
3 deletions
+29
-3
caddytls/certificates.go
caddytls/certificates.go
+14
-2
caddytls/crypto.go
caddytls/crypto.go
+7
-0
caddytls/maintain.go
caddytls/maintain.go
+8
-1
No files found.
caddytls/certificates.go
View file @
1889049e
...
...
@@ -128,8 +128,10 @@ func (cfg *Config) CacheManagedCertificate(domain string) (Certificate, error) {
// cacheUnmanagedCertificatePEMFile loads a certificate for host using certFile
// and keyFile, which must be in PEM format. It stores the certificate in
// memory. The Managed and OnDemand flags of the certificate will be set to
// false.
// memory after evicting any other entries in the cache keyed by the names
// on this certificate. In other words, it replaces existing certificates keyed
// by the names on this certificate. The Managed and OnDemand flags of the
// certificate will be set to false.
//
// This function is safe for concurrent use.
func
cacheUnmanagedCertificatePEMFile
(
certFile
,
keyFile
string
)
error
{
...
...
@@ -137,6 +139,16 @@ func cacheUnmanagedCertificatePEMFile(certFile, keyFile string) error {
if
err
!=
nil
{
return
err
}
// since this is manually managed, this call might be part of a reload after
// the owner renewed a certificate; so clear cache of any previous cert first,
// otherwise the renewed certificate may never be loaded
certCacheMu
.
Lock
()
for
_
,
name
:=
range
cert
.
Names
{
delete
(
certCache
,
name
)
}
certCacheMu
.
Unlock
()
cacheCertificate
(
cert
)
return
nil
}
...
...
caddytls/crypto.go
View file @
1889049e
...
...
@@ -151,6 +151,13 @@ func stapleOCSP(cert *Certificate, pemBundle []byte) error {
// the certificate. If the OCSP response was not loaded from
// storage, we persist it for next time.
if
ocspResp
.
Status
==
ocsp
.
Good
{
if
ocspResp
.
NextUpdate
.
After
(
cert
.
NotAfter
)
{
// uh oh, this OCSP response expires AFTER the certificate does, that's kinda bogus.
// it was the reason a lot of Symantec-validated sites (not Caddy) went down
// in October 2017. https://twitter.com/mattiasgeniar/status/919432824708648961
return
fmt
.
Errorf
(
"invalid: OCSP response for %v valid after certificate expiration (%s)"
,
cert
.
Names
,
cert
.
NotAfter
.
Sub
(
ocspResp
.
NextUpdate
))
}
cert
.
Certificate
.
OCSPStaple
=
ocspBytes
cert
.
OCSP
=
ocspResp
if
gotNewOCSP
{
...
...
caddytls/maintain.go
View file @
1889049e
...
...
@@ -334,8 +334,15 @@ func DeleteOldStapleFiles() {
// meaning that it is not expedient to get an
// updated response from the OCSP server.
func
freshOCSP
(
resp
*
ocsp
.
Response
)
bool
{
nextUpdate
:=
resp
.
NextUpdate
// If there is an OCSP responder certificate, and it expires before the
// OCSP response, use its expiration date as the end of the OCSP
// response's validity period.
if
resp
.
Certificate
!=
nil
&&
resp
.
Certificate
.
NotAfter
.
Before
(
nextUpdate
)
{
nextUpdate
=
resp
.
Certificate
.
NotAfter
}
// start checking OCSP staple about halfway through validity period for good measure
refreshTime
:=
resp
.
ThisUpdate
.
Add
(
resp
.
N
extUpdate
.
Sub
(
resp
.
ThisUpdate
)
/
2
)
refreshTime
:=
resp
.
ThisUpdate
.
Add
(
n
extUpdate
.
Sub
(
resp
.
ThisUpdate
)
/
2
)
return
time
.
Now
()
.
Before
(
refreshTime
)
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment