Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
C
caddy
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
caddy
Commits
ef40659c
Commit
ef40659c
authored
Mar 17, 2018
by
Matthew Holt
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'master' into acmev2
parents
3afb1ae3
6e2de19d
Changes
5
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
35 additions
and
29 deletions
+35
-29
caddytls/certificates.go
caddytls/certificates.go
+4
-4
caddytls/certificates_test.go
caddytls/certificates_test.go
+5
-4
caddytls/crypto.go
caddytls/crypto.go
+5
-2
caddytls/handshake.go
caddytls/handshake.go
+16
-15
caddytls/handshake_test.go
caddytls/handshake_test.go
+5
-4
No files found.
caddytls/certificates.go
View file @
ef40659c
...
@@ -261,21 +261,21 @@ func fillCertFromLeaf(cert *Certificate, tlsCert tls.Certificate) error {
...
@@ -261,21 +261,21 @@ func fillCertFromLeaf(cert *Certificate, tlsCert tls.Certificate) error {
return
err
return
err
}
}
if
leaf
.
Subject
.
CommonName
!=
""
{
if
leaf
.
Subject
.
CommonName
!=
""
{
// TODO: CommonName is deprecated
cert
.
Names
=
[]
string
{
strings
.
ToLower
(
leaf
.
Subject
.
CommonName
)}
cert
.
Names
=
[]
string
{
strings
.
ToLower
(
leaf
.
Subject
.
CommonName
)}
}
}
for
_
,
name
:=
range
leaf
.
DNSNames
{
for
_
,
name
:=
range
leaf
.
DNSNames
{
if
name
!=
leaf
.
Subject
.
CommonName
{
if
name
!=
leaf
.
Subject
.
CommonName
{
// TODO: CommonName is deprecated
cert
.
Names
=
append
(
cert
.
Names
,
strings
.
ToLower
(
name
))
cert
.
Names
=
append
(
cert
.
Names
,
strings
.
ToLower
(
name
))
}
}
}
}
for
_
,
ip
:=
range
leaf
.
IPAddresses
{
for
_
,
ip
:=
range
leaf
.
IPAddresses
{
if
ipStr
:=
ip
.
String
();
ipStr
!=
leaf
.
Subject
.
CommonName
{
if
ipStr
:=
ip
.
String
();
ipStr
!=
leaf
.
Subject
.
CommonName
{
// TODO: CommonName is deprecated
cert
.
Names
=
append
(
cert
.
Names
,
strings
.
ToLower
(
ipStr
))
cert
.
Names
=
append
(
cert
.
Names
,
strings
.
ToLower
(
ipStr
))
}
}
}
}
for
_
,
email
:=
range
leaf
.
EmailAddresses
{
for
_
,
email
:=
range
leaf
.
EmailAddresses
{
if
email
!=
leaf
.
Subject
.
CommonName
{
if
email
!=
leaf
.
Subject
.
CommonName
{
// TODO: CommonName is deprecated
cert
.
Names
=
append
(
cert
.
Names
,
strings
.
ToLower
(
email
))
cert
.
Names
=
append
(
cert
.
Names
,
strings
.
ToLower
(
email
))
}
}
}
}
...
...
caddytls/certificates_test.go
View file @
ef40659c
...
@@ -43,10 +43,11 @@ func TestUnexportedGetCertificate(t *testing.T) {
...
@@ -43,10 +43,11 @@ func TestUnexportedGetCertificate(t *testing.T) {
t
.
Errorf
(
"Didn't get wildcard cert for 'sub.example.com' or got the wrong one: %v, matched=%v, defaulted=%v"
,
cert
,
matched
,
defaulted
)
t
.
Errorf
(
"Didn't get wildcard cert for 'sub.example.com' or got the wrong one: %v, matched=%v, defaulted=%v"
,
cert
,
matched
,
defaulted
)
}
}
// When no certificate matches and SNI is provided, return no certificate (should be TLS alert)
// TODO: Re-implement this behavior when I'm not in the middle of upgrading for ACMEv2 support. :) (it was reverted in #2037)
if
cert
,
matched
,
defaulted
:=
cfg
.
getCertificate
(
"nomatch"
);
matched
||
defaulted
{
// // When no certificate matches and SNI is provided, return no certificate (should be TLS alert)
t
.
Errorf
(
"Expected matched=false, defaulted=false; but got matched=%v, defaulted=%v (cert: %v)"
,
matched
,
defaulted
,
cert
)
// if cert, matched, defaulted := cfg.getCertificate("nomatch"); matched || defaulted {
}
// t.Errorf("Expected matched=false, defaulted=false; but got matched=%v, defaulted=%v (cert: %v)", matched, defaulted, cert)
// }
// When no certificate matches and SNI is NOT provided, a random is returned
// When no certificate matches and SNI is NOT provided, a random is returned
if
cert
,
matched
,
defaulted
:=
cfg
.
getCertificate
(
""
);
matched
||
!
defaulted
{
if
cert
,
matched
,
defaulted
:=
cfg
.
getCertificate
(
""
);
matched
||
!
defaulted
{
...
...
caddytls/crypto.go
View file @
ef40659c
...
@@ -218,10 +218,13 @@ func makeSelfSignedCert(config *Config) error {
...
@@ -218,10 +218,13 @@ func makeSelfSignedCert(config *Config) error {
KeyUsage
:
x509
.
KeyUsageKeyEncipherment
|
x509
.
KeyUsageDigitalSignature
,
KeyUsage
:
x509
.
KeyUsageKeyEncipherment
|
x509
.
KeyUsageDigitalSignature
,
ExtKeyUsage
:
[]
x509
.
ExtKeyUsage
{
x509
.
ExtKeyUsageServerAuth
},
ExtKeyUsage
:
[]
x509
.
ExtKeyUsage
{
x509
.
ExtKeyUsageServerAuth
},
}
}
var
names
[]
string
if
ip
:=
net
.
ParseIP
(
config
.
Hostname
);
ip
!=
nil
{
if
ip
:=
net
.
ParseIP
(
config
.
Hostname
);
ip
!=
nil
{
names
=
append
(
names
,
strings
.
ToLower
(
ip
.
String
()))
cert
.
IPAddresses
=
append
(
cert
.
IPAddresses
,
ip
)
cert
.
IPAddresses
=
append
(
cert
.
IPAddresses
,
ip
)
}
else
{
}
else
{
cert
.
DNSNames
=
append
(
cert
.
DNSNames
,
config
.
Hostname
)
names
=
append
(
names
,
strings
.
ToLower
(
config
.
Hostname
))
cert
.
DNSNames
=
append
(
cert
.
DNSNames
,
strings
.
ToLower
(
config
.
Hostname
))
}
}
publicKey
:=
func
(
privKey
interface
{})
interface
{}
{
publicKey
:=
func
(
privKey
interface
{})
interface
{}
{
...
@@ -247,7 +250,7 @@ func makeSelfSignedCert(config *Config) error {
...
@@ -247,7 +250,7 @@ func makeSelfSignedCert(config *Config) error {
PrivateKey
:
privKey
,
PrivateKey
:
privKey
,
Leaf
:
cert
,
Leaf
:
cert
,
},
},
Names
:
cert
.
DNSN
ames
,
Names
:
n
ames
,
NotAfter
:
cert
.
NotAfter
,
NotAfter
:
cert
.
NotAfter
,
Hash
:
hashCertificateChain
(
chain
),
Hash
:
hashCertificateChain
(
chain
),
})
})
...
...
caddytls/handshake.go
View file @
ef40659c
...
@@ -59,10 +59,9 @@ func (cg configGroup) getConfig(name string) *Config {
...
@@ -59,10 +59,9 @@ func (cg configGroup) getConfig(name string) *Config {
}
}
}
}
// try a config that serves all names (this
// try a config that serves all names (the above
// is basically the same as a config defined
// loop doesn't try empty string; for hosts defined
// for "*" -- I think -- but the above loop
// with only a port, for instance, like ":443")
// doesn't try an empty string)
if
config
,
ok
:=
cg
[
""
];
ok
{
if
config
,
ok
:=
cg
[
""
];
ok
{
return
config
return
config
}
}
...
@@ -166,18 +165,20 @@ func (cfg *Config) getCertificate(name string) (cert Certificate, matched, defau
...
@@ -166,18 +165,20 @@ func (cfg *Config) getCertificate(name string) (cert Certificate, matched, defau
return
return
}
}
// if nothing matches and SNI was not provided, use a random
// if nothing matches, use a random certificate
// certificate; at least there's a chance this older client
// TODO: This is not my favorite behavior; I would rather serve
// can connect, and in the future we won't need this provision
// no certificate if SNI is provided and cause a TLS alert, than
// (if SNI is present, it's probably best to just raise a TLS
// serve the wrong certificate (but sometimes the 'wrong' cert
// alert by not serving a certificate)
// is what is wanted, but in those cases I would prefer that the
if
name
==
""
{
// site owner explicitly configure a "default" certificate).
// (See issue 2035; any change to this behavior must account for
// hosts defined like ":443" or "0.0.0.0:443" where the hostname
// is empty or a catch-all IP or something.)
for
_
,
certKey
:=
range
cfg
.
Certificates
{
for
_
,
certKey
:=
range
cfg
.
Certificates
{
defaulted
=
true
cert
=
cfg
.
certCache
.
cache
[
certKey
]
cert
=
cfg
.
certCache
.
cache
[
certKey
]
defaulted
=
true
return
return
}
}
}
return
return
}
}
...
...
caddytls/handshake_test.go
View file @
ef40659c
...
@@ -27,7 +27,7 @@ func TestGetCertificate(t *testing.T) {
...
@@ -27,7 +27,7 @@ func TestGetCertificate(t *testing.T) {
hello
:=
&
tls
.
ClientHelloInfo
{
ServerName
:
"example.com"
}
hello
:=
&
tls
.
ClientHelloInfo
{
ServerName
:
"example.com"
}
helloSub
:=
&
tls
.
ClientHelloInfo
{
ServerName
:
"sub.example.com"
}
helloSub
:=
&
tls
.
ClientHelloInfo
{
ServerName
:
"sub.example.com"
}
helloNoSNI
:=
&
tls
.
ClientHelloInfo
{}
helloNoSNI
:=
&
tls
.
ClientHelloInfo
{}
helloNoMatch
:=
&
tls
.
ClientHelloInfo
{
ServerName
:
"nomatch"
}
// helloNoMatch := &tls.ClientHelloInfo{ServerName: "nomatch"} // TODO (see below)
// When cache is empty
// When cache is empty
if
cert
,
err
:=
cfg
.
GetCertificate
(
hello
);
err
==
nil
{
if
cert
,
err
:=
cfg
.
GetCertificate
(
hello
);
err
==
nil
{
...
@@ -69,8 +69,9 @@ func TestGetCertificate(t *testing.T) {
...
@@ -69,8 +69,9 @@ func TestGetCertificate(t *testing.T) {
t
.
Errorf
(
"Expected random cert with no matches, got: %v"
,
cert
)
t
.
Errorf
(
"Expected random cert with no matches, got: %v"
,
cert
)
}
}
// TODO: Re-implement this behavior (it was reverted in #2037)
// When no certificate matches, raise an alert
// When no certificate matches, raise an alert
if
_
,
err
:=
cfg
.
GetCertificate
(
helloNoMatch
);
err
==
nil
{
//
if _, err := cfg.GetCertificate(helloNoMatch); err == nil {
t
.
Errorf
(
"Expected an error when no certificate matched the SNI, got: %v"
,
err
)
//
t.Errorf("Expected an error when no certificate matched the SNI, got: %v", err)
}
//
}
}
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment