Add support for OCSP Must-Staple for Let's Encrypt certs (#1221)

* Fix Caddytls * Let the user decide * Address comments

Add support for OCSP Must-Staple for Let's Encrypt certs (#1221)
* Fix Caddytls * Let the user decide * Address comments
53e11780 · elcore · Matt Holt · 23f89f30 · 53e11780 · 53e11780
Commit 53e11780 authored Oct 29, 2016 by elcore Committed by Matt Holt Oct 29, 2016
Showing with 12 additions and 2 deletions

caddytls/client.go caddytls/client.go +2 -2

caddytls/config.go caddytls/config.go +3 -0

caddytls/setup.go caddytls/setup.go +2 -0

caddytls/setup_test.go caddytls/setup_test.go +5 -0

No files found.
--- a/caddytls/client.go
+++ b/caddytls/client.go
@@ -197,7 +197,7 @@ Attempts:
 	for attempts := 0; attempts < 2; attempts++ {
 		namesObtaining.Add([]string{name})
 		acmeMu.Lock()
-		certificate, failures := c.acmeClient.ObtainCertificate([]string{name}, true, nil)
+		certificate, failures := c.acmeClient.ObtainCertificate([]string{name}, true, nil, c.config.MustStaple)
 		acmeMu.Unlock()
 		namesObtaining.Remove([]string{name})
 		if len(failures) > 0 {
@@ -285,7 +285,7 @@ func (c *ACMEClient) Renew(name string) error {
 	for attempts := 0; attempts < 2; attempts++ {
 		namesObtaining.Add([]string{name})
 		acmeMu.Lock()
-		newCertMeta, err = c.acmeClient.RenewCertificate(certMeta, true)
+		newCertMeta, err = c.acmeClient.RenewCertificate(certMeta, true, c.config.MustStaple)
 		acmeMu.Unlock()
 		namesObtaining.Remove([]string{name})
 		if err == nil {

--- a/caddytls/config.go
+++ b/caddytls/config.go
@@ -105,6 +105,9 @@ type Config struct {

 	// The state needed to operate on-demand TLS
 	OnDemandState OnDemandState
+
+	// Add the must staple TLS extension to the CSR generated by lego/acme
+	MustStaple bool
 }

 // OnDemandState contains some state relevant for providing

--- a/caddytls/setup.go
+++ b/caddytls/setup.go
@@ -164,6 +164,8 @@ func setupTLS(c *caddy.Controller) error {
 					return c.Errf("Unsupported Storage provider '%s'", args[0])
 				}
 				config.StorageProvider = args[0]
+			case "muststaple":
+				config.MustStaple = true
 			default:
 				return c.Errf("Unknown keyword '%s'", c.Val())
 			}

--- a/caddytls/setup_test.go
+++ b/caddytls/setup_test.go
@@ -103,6 +103,7 @@ func TestSetupParseWithOptionalParams(t *testing.T) {
 	params := `tls ` + certFile + ` ` + keyFile + ` {
            protocols tls1.0 tls1.2
            ciphers RSA-AES256-CBC-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384
+            muststaple
        }`
 	cfg := new(Config)
 	RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg })
@@ -124,6 +125,10 @@ func TestSetupParseWithOptionalParams(t *testing.T) {
 	if len(cfg.Ciphers)-1 != 3 {
 		t.Errorf("Expected 3 Ciphers (not including TLS_FALLBACK_SCSV), got %v", len(cfg.Ciphers)-1)
 	}
+
+	if !cfg.MustStaple {
+		t.Errorf("Expected must staple to be true")
+	}
 }

 func TestSetupDefaultWithOptionalParams(t *testing.T) {