summaryrefslogtreecommitdiff
path: root/modules/caddytls
diff options
context:
space:
mode:
authorMatthew Holt <mholt@users.noreply.github.com>2019-08-09 12:05:47 -0600
committerMatthew Holt <mholt@users.noreply.github.com>2019-08-09 12:05:47 -0600
commitab885f07b844fd60adb9d49ed7884f3cd2d939a7 (patch)
tree8827ad88cf3da8982154e2fda46f53274342785d /modules/caddytls
parent4950ce485f7d931890fcfd2ee287b6df1b5db435 (diff)
Implement config adapters and beginning of Caddyfile adapter
Along with several other changes, such as renaming caddyhttp.ServerRoute to caddyhttp.Route, exporting some types that were not exported before, and tweaking the caddytls TLS values to be more consistent. Notably, we also now disable automatic cert management for names which already have a cert (manually) loaded into the cache. These names no longer need to be specified in the "skip_certificates" field of the automatic HTTPS config, because they will be skipped automatically.
Diffstat (limited to 'modules/caddytls')
-rw-r--r--modules/caddytls/connpolicy.go8
-rw-r--r--modules/caddytls/fileloader.go10
-rw-r--r--modules/caddytls/folderloader.go10
-rw-r--r--modules/caddytls/sessiontickets.go2
-rw-r--r--modules/caddytls/tls.go27
-rw-r--r--modules/caddytls/values.go36
6 files changed, 53 insertions, 40 deletions
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index 8cb6ffe..e061281 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -172,7 +172,7 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
// add all the cipher suites in order, without duplicates
cipherSuitesAdded := make(map[uint16]struct{})
for _, csName := range p.CipherSuites {
- csID := supportedCipherSuites[csName]
+ csID := SupportedCipherSuites[csName]
if _, ok := cipherSuitesAdded[csID]; !ok {
cipherSuitesAdded[csID] = struct{}{}
cfg.CipherSuites = append(cfg.CipherSuites, csID)
@@ -182,7 +182,7 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
// add all the curve preferences in order, without duplicates
curvesAdded := make(map[tls.CurveID]struct{})
for _, curveName := range p.Curves {
- curveID := supportedCurves[curveName]
+ curveID := SupportedCurves[curveName]
if _, ok := curvesAdded[curveID]; !ok {
curvesAdded[curveID] = struct{}{}
cfg.CurvePreferences = append(cfg.CurvePreferences, curveID)
@@ -203,10 +203,10 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
// min and max protocol versions
if p.ProtocolMin != "" {
- cfg.MinVersion = supportedProtocols[p.ProtocolMin]
+ cfg.MinVersion = SupportedProtocols[p.ProtocolMin]
}
if p.ProtocolMax != "" {
- cfg.MaxVersion = supportedProtocols[p.ProtocolMax]
+ cfg.MaxVersion = SupportedProtocols[p.ProtocolMax]
}
if p.ProtocolMin > p.ProtocolMax {
return fmt.Errorf("protocol min (%x) cannot be greater than protocol max (%x)", p.ProtocolMin, p.ProtocolMax)
diff --git a/modules/caddytls/fileloader.go b/modules/caddytls/fileloader.go
index 5f277c8..7a0d14d 100644
--- a/modules/caddytls/fileloader.go
+++ b/modules/caddytls/fileloader.go
@@ -25,12 +25,12 @@ import (
func init() {
caddy.RegisterModule(caddy.Module{
Name: "tls.certificates.load_files",
- New: func() interface{} { return fileLoader{} },
+ New: func() interface{} { return FileLoader{} },
})
}
-// fileLoader loads certificates and their associated keys from disk.
-type fileLoader []CertKeyFilePair
+// FileLoader loads certificates and their associated keys from disk.
+type FileLoader []CertKeyFilePair
// CertKeyFilePair pairs certificate and key file names along with their
// encoding format so that they can be loaded from disk.
@@ -42,7 +42,7 @@ type CertKeyFilePair struct {
}
// LoadCertificates returns the certificates to be loaded by fl.
-func (fl fileLoader) LoadCertificates() ([]Certificate, error) {
+func (fl FileLoader) LoadCertificates() ([]Certificate, error) {
var certs []Certificate
for _, pair := range fl {
certData, err := ioutil.ReadFile(pair.Certificate)
@@ -73,4 +73,4 @@ func (fl fileLoader) LoadCertificates() ([]Certificate, error) {
}
// Interface guard
-var _ CertificateLoader = (fileLoader)(nil)
+var _ CertificateLoader = (FileLoader)(nil)
diff --git a/modules/caddytls/folderloader.go b/modules/caddytls/folderloader.go
index 24a7fbb..ae7f056 100644
--- a/modules/caddytls/folderloader.go
+++ b/modules/caddytls/folderloader.go
@@ -30,20 +30,20 @@ import (
func init() {
caddy.RegisterModule(caddy.Module{
Name: "tls.certificates.load_folders",
- New: func() interface{} { return folderLoader{} },
+ New: func() interface{} { return FolderLoader{} },
})
}
-// folderLoader loads certificates and their associated keys from disk
+// FolderLoader loads certificates and their associated keys from disk
// by recursively walking the specified directories, looking for PEM
// files which contain both a certificate and a key.
-type folderLoader []string
+type FolderLoader []string
// LoadCertificates loads all the certificates+keys in the directories
// listed in fl from all files ending with .pem. This method of loading
// certificates expects the certificate and key to be bundled into the
// same file.
-func (fl folderLoader) LoadCertificates() ([]Certificate, error) {
+func (fl FolderLoader) LoadCertificates() ([]Certificate, error) {
var certs []Certificate
for _, dir := range fl {
err := filepath.Walk(dir, func(fpath string, info os.FileInfo, err error) error {
@@ -135,4 +135,4 @@ func x509CertFromCertAndKeyPEMFile(fpath string) (tls.Certificate, error) {
return cert, nil
}
-var _ CertificateLoader = (folderLoader)(nil)
+var _ CertificateLoader = (FolderLoader)(nil)
diff --git a/modules/caddytls/sessiontickets.go b/modules/caddytls/sessiontickets.go
index c47f823..2eb0773 100644
--- a/modules/caddytls/sessiontickets.go
+++ b/modules/caddytls/sessiontickets.go
@@ -29,7 +29,7 @@ import (
// SessionTicketService configures and manages TLS session tickets.
type SessionTicketService struct {
KeySource json.RawMessage `json:"key_source,omitempty"`
- RotationInterval caddy.Duration `json:"rotation_interval,omitempty"`
+ RotationInterval caddy.Duration `json:"rotation_interval,omitempty"`
MaxKeys int `json:"max_keys,omitempty"`
DisableRotation bool `json:"disable_rotation,omitempty"`
Disabled bool `json:"disabled,omitempty"`
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index e70fbd1..ec16995 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -45,8 +45,8 @@ func init() {
// TLS represents a process-wide TLS configuration.
type TLS struct {
Certificates map[string]json.RawMessage `json:"certificates,omitempty"`
- Automation AutomationConfig `json:"automation,omitempty"`
- SessionTickets SessionTicketService `json:"session_tickets,omitempty"`
+ Automation AutomationConfig `json:"automation"`
+ SessionTickets SessionTicketService `json:"session_tickets"`
certificateLoaders []CertificateLoader
certCache *certmagic.Cache
@@ -105,16 +105,12 @@ func (t *TLS) Provision(ctx caddy.Context) error {
onDemandRateLimiter.SetLimit(0)
}
- return nil
-}
-
-// Start activates the TLS module.
-func (t *TLS) Start() error {
+ // load manual/static (unmanaged) certificates - we do this in
+ // provision so that other apps (such as http) can know which
+ // certificates have been manually loaded
magic := certmagic.New(t.certCache, certmagic.Config{
- Storage: t.ctx.Storage(),
+ Storage: ctx.Storage(),
})
-
- // load manual/static (unmanaged) certificates
for _, loader := range t.certificateLoaders {
certs, err := loader.LoadCertificates()
if err != nil {
@@ -128,6 +124,11 @@ func (t *TLS) Start() error {
}
}
+ return nil
+}
+
+// Start activates the TLS module.
+func (t *TLS) Start() error {
// load automated (managed) certificates
if automatedRawMsg, ok := t.Certificates[automateKey]; ok {
var names []string
@@ -204,6 +205,12 @@ func (t *TLS) getAutomationPolicyForName(name string) AutomationPolicy {
return AutomationPolicy{Management: mgmt}
}
+// CertificatesWithSAN returns the list of all certificates
+// in the cache the match the given SAN value.
+func (t *TLS) CertificatesWithSAN(san string) []certmagic.Certificate {
+ return t.certCache.CertificatesWithSAN(san)
+}
+
// CertificateLoader is a type that can load certificates.
// Certificates can optionally be associated with tags.
type CertificateLoader interface {
diff --git a/modules/caddytls/values.go b/modules/caddytls/values.go
index 0c62058..b10fe22 100644
--- a/modules/caddytls/values.go
+++ b/modules/caddytls/values.go
@@ -22,12 +22,16 @@ import (
"github.com/klauspost/cpuid"
)
-// supportedCipherSuites is the unordered map of cipher suite
+// SupportedCipherSuites is the unordered map of cipher suite
// string names to their definition in crypto/tls. All values
// should be IANA-reserved names. See
// https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
+// Two of the cipher suite constants in the standard lib do not use the
+// full IANA name, but we do; see:
+// https://github.com/golang/go/issues/32061 and
+// https://github.com/golang/go/issues/30325#issuecomment-512862374.
// TODO: might not be needed much longer: https://github.com/golang/go/issues/30325
-var supportedCipherSuites = map[string]uint16{
+var SupportedCipherSuites = map[string]uint16{
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
@@ -84,22 +88,24 @@ func getOptimalDefaultCipherSuites() []uint16 {
return defaultCipherSuitesWithoutAESNI
}
-// supportedCurves is the unordered map of supported curves.
+// SupportedCurves is the unordered map of supported curves.
// https://golang.org/pkg/crypto/tls/#CurveID
-var supportedCurves = map[string]tls.CurveID{
- "X25519": tls.X25519,
- "P256": tls.CurveP256,
- "P384": tls.CurveP384,
- "P521": tls.CurveP521,
+var SupportedCurves = map[string]tls.CurveID{
+ // TODO: Use IANA names, probably? see https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
+ // All named crypto/elliptic curves have secpXXXr1 IANA names.
+ "x25519": tls.X25519, // x25519, 29
+ "p256": tls.CurveP256, // secp256r1, 23
+ "p384": tls.CurveP384, // secp384r1, 24
+ "p521": tls.CurveP521, // secp521r1, 25
}
// supportedCertKeyTypes is all the key types that are supported
// for certificates that are obtained through ACME.
var supportedCertKeyTypes = map[string]certcrypto.KeyType{
- "RSA2048": certcrypto.RSA2048,
- "RSA4096": certcrypto.RSA4096,
- "P256": certcrypto.EC256,
- "P384": certcrypto.EC384,
+ "rsa_2048": certcrypto.RSA2048,
+ "rsa_4096": certcrypto.RSA4096,
+ "ec_p256": certcrypto.EC256,
+ "ec_p384": certcrypto.EC384,
}
// defaultCurves is the list of only the curves we want to use
@@ -115,9 +121,9 @@ var defaultCurves = []tls.CurveID{
tls.CurveP256,
}
-// supportedProtocols is a map of supported protocols.
-// HTTP/2 only supports TLS 1.2 and higher.
-var supportedProtocols = map[string]uint16{
+// SupportedProtocols is a map of supported protocols.
+// Note that HTTP/2 only supports TLS 1.2 and higher.
+var SupportedProtocols = map[string]uint16{
"tls1.0": tls.VersionTLS10,
"tls1.1": tls.VersionTLS11,
"tls1.2": tls.VersionTLS12,