Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
C
caddy
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
caddy
Commits
ef40659c
Commit
ef40659c
authored
Mar 17, 2018
by
Matthew Holt
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'master' into acmev2
parents
3afb1ae3
6e2de19d
Changes
5
Hide whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
35 additions
and
29 deletions
+35
-29
caddytls/certificates.go
caddytls/certificates.go
+4
-4
caddytls/certificates_test.go
caddytls/certificates_test.go
+5
-4
caddytls/crypto.go
caddytls/crypto.go
+5
-2
caddytls/handshake.go
caddytls/handshake.go
+16
-15
caddytls/handshake_test.go
caddytls/handshake_test.go
+5
-4
No files found.
caddytls/certificates.go
View file @
ef40659c
...
...
@@ -261,21 +261,21 @@ func fillCertFromLeaf(cert *Certificate, tlsCert tls.Certificate) error {
return
err
}
if
leaf
.
Subject
.
CommonName
!=
""
{
if
leaf
.
Subject
.
CommonName
!=
""
{
// TODO: CommonName is deprecated
cert
.
Names
=
[]
string
{
strings
.
ToLower
(
leaf
.
Subject
.
CommonName
)}
}
for
_
,
name
:=
range
leaf
.
DNSNames
{
if
name
!=
leaf
.
Subject
.
CommonName
{
if
name
!=
leaf
.
Subject
.
CommonName
{
// TODO: CommonName is deprecated
cert
.
Names
=
append
(
cert
.
Names
,
strings
.
ToLower
(
name
))
}
}
for
_
,
ip
:=
range
leaf
.
IPAddresses
{
if
ipStr
:=
ip
.
String
();
ipStr
!=
leaf
.
Subject
.
CommonName
{
if
ipStr
:=
ip
.
String
();
ipStr
!=
leaf
.
Subject
.
CommonName
{
// TODO: CommonName is deprecated
cert
.
Names
=
append
(
cert
.
Names
,
strings
.
ToLower
(
ipStr
))
}
}
for
_
,
email
:=
range
leaf
.
EmailAddresses
{
if
email
!=
leaf
.
Subject
.
CommonName
{
if
email
!=
leaf
.
Subject
.
CommonName
{
// TODO: CommonName is deprecated
cert
.
Names
=
append
(
cert
.
Names
,
strings
.
ToLower
(
email
))
}
}
...
...
caddytls/certificates_test.go
View file @
ef40659c
...
...
@@ -43,10 +43,11 @@ func TestUnexportedGetCertificate(t *testing.T) {
t
.
Errorf
(
"Didn't get wildcard cert for 'sub.example.com' or got the wrong one: %v, matched=%v, defaulted=%v"
,
cert
,
matched
,
defaulted
)
}
// When no certificate matches and SNI is provided, return no certificate (should be TLS alert)
if
cert
,
matched
,
defaulted
:=
cfg
.
getCertificate
(
"nomatch"
);
matched
||
defaulted
{
t
.
Errorf
(
"Expected matched=false, defaulted=false; but got matched=%v, defaulted=%v (cert: %v)"
,
matched
,
defaulted
,
cert
)
}
// TODO: Re-implement this behavior when I'm not in the middle of upgrading for ACMEv2 support. :) (it was reverted in #2037)
// // When no certificate matches and SNI is provided, return no certificate (should be TLS alert)
// if cert, matched, defaulted := cfg.getCertificate("nomatch"); matched || defaulted {
// t.Errorf("Expected matched=false, defaulted=false; but got matched=%v, defaulted=%v (cert: %v)", matched, defaulted, cert)
// }
// When no certificate matches and SNI is NOT provided, a random is returned
if
cert
,
matched
,
defaulted
:=
cfg
.
getCertificate
(
""
);
matched
||
!
defaulted
{
...
...
caddytls/crypto.go
View file @
ef40659c
...
...
@@ -218,10 +218,13 @@ func makeSelfSignedCert(config *Config) error {
KeyUsage
:
x509
.
KeyUsageKeyEncipherment
|
x509
.
KeyUsageDigitalSignature
,
ExtKeyUsage
:
[]
x509
.
ExtKeyUsage
{
x509
.
ExtKeyUsageServerAuth
},
}
var
names
[]
string
if
ip
:=
net
.
ParseIP
(
config
.
Hostname
);
ip
!=
nil
{
names
=
append
(
names
,
strings
.
ToLower
(
ip
.
String
()))
cert
.
IPAddresses
=
append
(
cert
.
IPAddresses
,
ip
)
}
else
{
cert
.
DNSNames
=
append
(
cert
.
DNSNames
,
config
.
Hostname
)
names
=
append
(
names
,
strings
.
ToLower
(
config
.
Hostname
))
cert
.
DNSNames
=
append
(
cert
.
DNSNames
,
strings
.
ToLower
(
config
.
Hostname
))
}
publicKey
:=
func
(
privKey
interface
{})
interface
{}
{
...
...
@@ -247,7 +250,7 @@ func makeSelfSignedCert(config *Config) error {
PrivateKey
:
privKey
,
Leaf
:
cert
,
},
Names
:
cert
.
DNSN
ames
,
Names
:
n
ames
,
NotAfter
:
cert
.
NotAfter
,
Hash
:
hashCertificateChain
(
chain
),
})
...
...
caddytls/handshake.go
View file @
ef40659c
...
...
@@ -59,10 +59,9 @@ func (cg configGroup) getConfig(name string) *Config {
}
}
// try a config that serves all names (this
// is basically the same as a config defined
// for "*" -- I think -- but the above loop
// doesn't try an empty string)
// try a config that serves all names (the above
// loop doesn't try empty string; for hosts defined
// with only a port, for instance, like ":443")
if
config
,
ok
:=
cg
[
""
];
ok
{
return
config
}
...
...
@@ -166,17 +165,19 @@ func (cfg *Config) getCertificate(name string) (cert Certificate, matched, defau
return
}
// if nothing matches and SNI was not provided, use a random
// certificate; at least there's a chance this older client
// can connect, and in the future we won't need this provision
// (if SNI is present, it's probably best to just raise a TLS
// alert by not serving a certificate)
if
name
==
""
{
for
_
,
certKey
:=
range
cfg
.
Certificates
{
defaulted
=
true
cert
=
cfg
.
certCache
.
cache
[
certKey
]
return
}
// if nothing matches, use a random certificate
// TODO: This is not my favorite behavior; I would rather serve
// no certificate if SNI is provided and cause a TLS alert, than
// serve the wrong certificate (but sometimes the 'wrong' cert
// is what is wanted, but in those cases I would prefer that the
// site owner explicitly configure a "default" certificate).
// (See issue 2035; any change to this behavior must account for
// hosts defined like ":443" or "0.0.0.0:443" where the hostname
// is empty or a catch-all IP or something.)
for
_
,
certKey
:=
range
cfg
.
Certificates
{
cert
=
cfg
.
certCache
.
cache
[
certKey
]
defaulted
=
true
return
}
return
...
...
caddytls/handshake_test.go
View file @
ef40659c
...
...
@@ -27,7 +27,7 @@ func TestGetCertificate(t *testing.T) {
hello
:=
&
tls
.
ClientHelloInfo
{
ServerName
:
"example.com"
}
helloSub
:=
&
tls
.
ClientHelloInfo
{
ServerName
:
"sub.example.com"
}
helloNoSNI
:=
&
tls
.
ClientHelloInfo
{}
helloNoMatch
:=
&
tls
.
ClientHelloInfo
{
ServerName
:
"nomatch"
}
// helloNoMatch := &tls.ClientHelloInfo{ServerName: "nomatch"} // TODO (see below)
// When cache is empty
if
cert
,
err
:=
cfg
.
GetCertificate
(
hello
);
err
==
nil
{
...
...
@@ -69,8 +69,9 @@ func TestGetCertificate(t *testing.T) {
t
.
Errorf
(
"Expected random cert with no matches, got: %v"
,
cert
)
}
// TODO: Re-implement this behavior (it was reverted in #2037)
// When no certificate matches, raise an alert
if
_
,
err
:=
cfg
.
GetCertificate
(
helloNoMatch
);
err
==
nil
{
t
.
Errorf
(
"Expected an error when no certificate matched the SNI, got: %v"
,
err
)
}
//
if _, err := cfg.GetCertificate(helloNoMatch); err == nil {
//
t.Errorf("Expected an error when no certificate matched the SNI, got: %v", err)
//
}
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment