summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
authorNWHirschfeld <nwhirschfeld@users.noreply.github.com>2020-06-05 20:19:36 +0200
committerGitHub <noreply@github.com>2020-06-05 12:19:36 -0600
commit1dfb11486eacc32af1003242023ddc4544823a31 (patch)
tree6aea6cb19fb6b9e87a8d35fb861c70205c57fd0c /modules
parent11a132d48b574ef113e411aa22c0801a5a3190bd (diff)
httpcaddyfile: Add client_auth options to tls directive (#3335)
* reading client certificate config from Caddyfile Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de> * Update caddyconfig/httpcaddyfile/builtins.go Co-authored-by: Francis Lavoie <lavofr@gmail.com> * added adapt test for parsing client certificate configuration from Caddyfile Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de> * read client ca and leaf certificates from file https://github.com/caddyserver/caddy/pull/3335#discussion_r421633844 Signed-off-by: NWHirschfeld <Niclas@NWHirschfeld.de> * Update modules/caddytls/connpolicy.go * Make review adjustments Co-authored-by: Francis Lavoie <lavofr@gmail.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
Diffstat (limited to 'modules')
-rw-r--r--modules/caddytls/connpolicy.go8
1 files changed, 1 insertions, 7 deletions
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index 3a18061..fec1fe2 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -334,7 +334,7 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro
case "require_and_verify":
cfg.ClientAuth = tls.RequireAndVerifyClientCert
default:
- return fmt.Errorf("client auth mode %s not allowed", clientauth.Mode)
+ return fmt.Errorf("client auth mode not recognized: %s", clientauth.Mode)
}
} else {
// otherwise, set a safe default mode
@@ -361,7 +361,6 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro
// enforce leaf verification by writing our own verify function
if len(clientauth.TrustedLeafCerts) > 0 {
clientauth.trustedLeafCerts = []*x509.Certificate{}
-
for _, clientCertString := range clientauth.TrustedLeafCerts {
clientCert, err := decodeBase64DERCert(clientCertString)
if err != nil {
@@ -369,10 +368,8 @@ func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) erro
}
clientauth.trustedLeafCerts = append(clientauth.trustedLeafCerts, clientCert)
}
-
// if a custom verification function already exists, wrap it
clientauth.existingVerifyPeerCert = cfg.VerifyPeerCertificate
-
cfg.VerifyPeerCertificate = clientauth.verifyPeerCertificate
}
@@ -411,13 +408,10 @@ func (clientauth ClientAuthentication) verifyPeerCertificate(rawCerts [][]byte,
// decodeBase64DERCert base64-decodes, then DER-decodes, certStr.
func decodeBase64DERCert(certStr string) (*x509.Certificate, error) {
- // decode base64
derBytes, err := base64.StdEncoding.DecodeString(certStr)
if err != nil {
return nil, err
}
-
- // parse the DER-encoded certificate
return x509.ParseCertificate(derBytes)
}