diff options
author | Matthew Holt <mholt@users.noreply.github.com> | 2019-06-26 16:03:29 -0600 |
---|---|---|
committer | Matthew Holt <mholt@users.noreply.github.com> | 2019-06-26 16:03:29 -0600 |
commit | 2b22d2e6ea7ffd17ae769bd8a2adae60e5a7d0bf (patch) | |
tree | 941d6117b28b18cd25556d5a272b1e32c2abdc5f /modules/caddytls | |
parent | a524bcfe78e8067b8224b1794c6842d9c2c7e8cf (diff) |
Optionally enforce strict TLS SNI + HTTP Host matching, & misc. cleanup
We should look into a way to enable this by default when TLS client auth
is configured for a server
Diffstat (limited to 'modules/caddytls')
-rw-r--r-- | modules/caddytls/tls.go | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index 7f5b1e9..7b8e420 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -88,15 +88,16 @@ func (t *TLS) Provision(ctx caddy.Context) error { // Start activates the TLS module. func (t *TLS) Start() error { + magic := certmagic.New(t.certCache, certmagic.Config{ + Storage: t.ctx.Storage(), + }) + // load manual/static (unmanaged) certificates for _, loader := range t.certificateLoaders { certs, err := loader.LoadCertificates() if err != nil { return fmt.Errorf("loading certificates: %v", err) } - magic := certmagic.New(t.certCache, certmagic.Config{ - Storage: t.ctx.Storage(), - }) for _, cert := range certs { err := magic.CacheUnmanagedTLSCertificate(cert.Certificate, cert.Tags) if err != nil { |