diff options
| author | NWHirschfeld <nwhirschfeld@users.noreply.github.com> | 2020-06-05 20:19:36 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-06-05 12:19:36 -0600 |
| commit | 1dfb11486eacc32af1003242023ddc4544823a31 (patch) | |
| tree | 6aea6cb19fb6b9e87a8d35fb861c70205c57fd0c /modules/caddytls | |
| parent | 11a132d48b574ef113e411aa22c0801a5a3190bd (diff) | |
httpcaddyfile: Add client_auth options to tls directive (#3335)
* reading client certificate config from Caddyfile
Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de>
* Update caddyconfig/httpcaddyfile/builtins.go
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
* added adapt test for parsing client certificate configuration from Caddyfile
Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de>
* read client ca and leaf certificates from file https://github.com/caddyserver/caddy/pull/3335#discussion_r421633844
Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de>
* Update modules/caddytls/connpolicy.go
* Make review adjustments
Co-authored-by: Francis Lavoie <lavofr@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Diffstat (limited to 'modules/caddytls')
| -rw-r--r-- | modules/caddytls/connpolicy.go | 8 |
1 files changed, 1 insertions, 7 deletions
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go index 3a18061..fec1fe2 100644 --- a/modules/caddytls/connpolicy.go +++ b/modules/caddytls/connpolicy.go @@ -334,7 +334,7 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro case "require_and_verify": cfg.ClientAuth = tls.RequireAndVerifyClientCert default: - return fmt.Errorf("client auth mode %s not allowed", clientauth.Mode) + return fmt.Errorf("client auth mode not recognized: %s", clientauth.Mode) } } else { // otherwise, set a safe default mode @@ -361,7 +361,6 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro // enforce leaf verification by writing our own verify function if len(clientauth.TrustedLeafCerts) > 0 { clientauth.trustedLeafCerts = []*x509.Certificate{} - for _, clientCertString := range clientauth.TrustedLeafCerts { clientCert, err := decodeBase64DERCert(clientCertString) if err != nil { @@ -369,10 +368,8 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro } clientauth.trustedLeafCerts = append(clientauth.trustedLeafCerts, clientCert) } - // if a custom verification function already exists, wrap it clientauth.existingVerifyPeerCert = cfg.VerifyPeerCertificate - cfg.VerifyPeerCertificate = clientauth.verifyPeerCertificate } @@ -411,13 +408,10 @@ func (clientauth ClientAuthentication) verifyPeerCertificate(rawCerts [][]byte, // decodeBase64DERCert base64-decodes, then DER-decodes, certStr. func decodeBase64DERCert(certStr string) (*x509.Certificate, error) { - // decode base64 derBytes, err := base64.StdEncoding.DecodeString(certStr) if err != nil { return nil, err } - - // parse the DER-encoded certificate return x509.ParseCertificate(derBytes) } |