summaryrefslogtreecommitdiff
path: root/modules/caddytls
diff options
context:
space:
mode:
authorMatthew Holt <mholt@users.noreply.github.com>2019-06-26 16:03:29 -0600
committerMatthew Holt <mholt@users.noreply.github.com>2019-06-26 16:03:29 -0600
commit2b22d2e6ea7ffd17ae769bd8a2adae60e5a7d0bf (patch)
tree941d6117b28b18cd25556d5a272b1e32c2abdc5f /modules/caddytls
parenta524bcfe78e8067b8224b1794c6842d9c2c7e8cf (diff)
Optionally enforce strict TLS SNI + HTTP Host matching, & misc. cleanup
We should look into a way to enable this by default when TLS client auth is configured for a server
Diffstat (limited to 'modules/caddytls')
-rw-r--r--modules/caddytls/tls.go7
1 files changed, 4 insertions, 3 deletions
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 7f5b1e9..7b8e420 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -88,15 +88,16 @@ func (t *TLS) Provision(ctx caddy.Context) error {
// Start activates the TLS module.
func (t *TLS) Start() error {
+ magic := certmagic.New(t.certCache, certmagic.Config{
+ Storage: t.ctx.Storage(),
+ })
+
// load manual/static (unmanaged) certificates
for _, loader := range t.certificateLoaders {
certs, err := loader.LoadCertificates()
if err != nil {
return fmt.Errorf("loading certificates: %v", err)
}
- magic := certmagic.New(t.certCache, certmagic.Config{
- Storage: t.ctx.Storage(),
- })
for _, cert := range certs {
err := magic.CacheUnmanagedTLSCertificate(cert.Certificate, cert.Tags)
if err != nil {