Optionally enforce strict TLS SNI + HTTP Host matching, & misc. cleanup

We should look into a way to enable this by default when TLS client auth is configured for a server
author: Matthew Holt <mholt@users.noreply.github.com> 2019-06-26 16:03:29 -0600
committer: Matthew Holt <mholt@users.noreply.github.com> 2019-06-26 16:03:29 -0600
commit: 2b22d2e6ea7ffd17ae769bd8a2adae60e5a7d0bf (patch)
tree: 941d6117b28b18cd25556d5a272b1e32c2abdc5f /modules/caddytls
parent: a524bcfe78e8067b8224b1794c6842d9c2c7e8cf (diff)
1 files changed, 4 insertions, 3 deletions
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 7f5b1e9..7b8e420 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -88,15 +88,16 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 
 // Start activates the TLS module.
 func (t *TLS) Start() error {
+	magic := certmagic.New(t.certCache, certmagic.Config{
+		Storage: t.ctx.Storage(),
+	})
+
 	// load manual/static (unmanaged) certificates
 	for _, loader := range t.certificateLoaders {
 		certs, err := loader.LoadCertificates()
 		if err != nil {
 			return fmt.Errorf("loading certificates: %v", err)
 		}
-		magic := certmagic.New(t.certCache, certmagic.Config{
-			Storage: t.ctx.Storage(),
-		})
 		for _, cert := range certs {
 			err := magic.CacheUnmanagedTLSCertificate(cert.Certificate, cert.Tags)
 			if err != nil {
author	Matthew Holt <mholt@users.noreply.github.com>	2019-06-26 16:03:29 -0600
committer	Matthew Holt <mholt@users.noreply.github.com>	2019-06-26 16:03:29 -0600
commit	2b22d2e6ea7ffd17ae769bd8a2adae60e5a7d0bf (patch)
tree	941d6117b28b18cd25556d5a272b1e32c2abdc5f /modules/caddytls
parent	a524bcfe78e8067b8224b1794c6842d9c2c7e8cf (diff)