diff options
author | Matthew Holt <mholt@users.noreply.github.com> | 2020-12-15 12:16:04 -0700 |
---|---|---|
committer | Matthew Holt <mholt@users.noreply.github.com> | 2020-12-15 12:16:04 -0700 |
commit | e384f07a3ce91ddbc8c4d4344f03a0dafe3df9f3 (patch) | |
tree | 8e68b638a579c857328003a732fc07907b7e100a | |
parent | 132525de3bfd6acb16f8628fa057cb03e102a177 (diff) |
caddytls: Improve alt chain preference settings
This allows for finer-grained control when choosing alternate chains than
simply the previous/Certbot-esque behavior of "choose first chain that
contains an issuer's common name." This update allows you to sort by
length (if optimizing for efficiency on the wire) and also to select the
chain with a specific root CommonName.
-rw-r--r-- | go.mod | 2 | ||||
-rw-r--r-- | go.sum | 4 | ||||
-rw-r--r-- | modules/caddytls/acmeissuer.go | 34 |
3 files changed, 32 insertions, 8 deletions
@@ -6,7 +6,7 @@ require ( github.com/Masterminds/sprig/v3 v3.1.0 github.com/alecthomas/chroma v0.8.2 github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a - github.com/caddyserver/certmagic v0.12.1-0.20201209195841-b726d1ed13c3 + github.com/caddyserver/certmagic v0.12.1-0.20201215190346-201f83a06067 github.com/dustin/go-humanize v1.0.1-0.20200219035652-afde56e7acac github.com/go-chi/chi v4.1.2+incompatible github.com/google/cel-go v0.6.0 @@ -85,8 +85,8 @@ github.com/bombsimon/wsl/v2 v2.0.0/go.mod h1:mf25kr/SqFEPhhcxW1+7pxzGlW+hIl/hYTK github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g= github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= -github.com/caddyserver/certmagic v0.12.1-0.20201209195841-b726d1ed13c3 h1:NW/7kFV4p6VLwG5eQa6ECivSqxAO0MmnAsAV7esFp0o= -github.com/caddyserver/certmagic v0.12.1-0.20201209195841-b726d1ed13c3/go.mod h1:tr26xh+9fY5dN0J6IPAlMj07qpog22PJKa7Nw7j835U= +github.com/caddyserver/certmagic v0.12.1-0.20201215190346-201f83a06067 h1:gpjCX6/8hHRgVXxy1v2AQdoAX6XRXIA8fBUZtEpnVg0= +github.com/caddyserver/certmagic v0.12.1-0.20201215190346-201f83a06067/go.mod h1:tr26xh+9fY5dN0J6IPAlMj07qpog22PJKa7Nw7j835U= github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko= diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go index 7c79c7e..df071c4 100644 --- a/modules/caddytls/acmeissuer.go +++ b/modules/caddytls/acmeissuer.go @@ -74,10 +74,11 @@ type ACMEIssuer struct { // is internal or for development/testing purposes. TrustedRootsPEMFiles []string `json:"trusted_roots_pem_files,omitempty"` - // List of preferred certificate chains, by issuer's CommonName. If empty, - // or if no matching chain is found, the first chain offered by the server - // will be used. - PreferredChains []string `json:"preferred_chains,omitempty"` + // Preferences for selecting alternate certificate chains, if offered + // by the CA. By default, the first offered chain will be selected. + // If configured, the chains may be sorted and the first matching chain + // will be selected. + PreferredChains *ChainPreference `json:"preferred_chains,omitempty"` rootPool *x509.CertPool template certmagic.ACMEManager @@ -163,7 +164,6 @@ func (iss *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEManager, error) { CertObtainTimeout: time.Duration(iss.ACMETimeout), TrustedRoots: iss.rootPool, ExternalAccount: iss.ExternalAccount, - PreferredChains: iss.PreferredChains, Logger: iss.logger, } @@ -182,6 +182,14 @@ func (iss *ACMEIssuer) makeIssuerTemplate() (certmagic.ACMEManager, error) { template.ListenHost = iss.Challenges.BindHost } + if iss.PreferredChains != nil { + template.PreferredChains = certmagic.ChainPreference{ + Smallest: iss.PreferredChains.Smallest, + AnyCommonName: iss.PreferredChains.AnyCommonName, + RootCommonName: iss.PreferredChains.RootCommonName, + } + } + return template, nil } @@ -407,6 +415,22 @@ func onDemandAskRequest(ask string, name string) error { return nil } +// ChainPreference describes the client's preferred certificate chain, +// useful if the CA offers alternate chains. The first matching chain +// will be selected. +type ChainPreference struct { + // Prefer chains with the fewest number of bytes. + Smallest *bool `json:"smallest,omitempty"` + + // Select first chain having a root with one of + // these common names. + RootCommonName []string `json:"root_common_name,omitempty"` + + // Select first chain that has any issuer with one + // of these common names. + AnyCommonName []string `json:"any_common_name,omitempty"` +} + // Interface guards var ( _ certmagic.PreChecker = (*ACMEIssuer)(nil) |