6 files changed, 53 insertions, 40 deletions
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index 8cb6ffe..e061281 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -172,7 +172,7 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
 	// add all the cipher suites in order, without duplicates
 	cipherSuitesAdded := make(map[uint16]struct{})
 	for _, csName := range p.CipherSuites {
-		csID := supportedCipherSuites[csName]
+		csID := SupportedCipherSuites[csName]
 		if _, ok := cipherSuitesAdded[csID]; !ok {
 			cipherSuitesAdded[csID] = struct{}{}
 			cfg.CipherSuites = append(cfg.CipherSuites, csID)
@@ -182,7 +182,7 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
 	// add all the curve preferences in order, without duplicates
 	curvesAdded := make(map[tls.CurveID]struct{})
 	for _, curveName := range p.Curves {
-		curveID := supportedCurves[curveName]
+		curveID := SupportedCurves[curveName]
 		if _, ok := curvesAdded[curveID]; !ok {
 			curvesAdded[curveID] = struct{}{}
 			cfg.CurvePreferences = append(cfg.CurvePreferences, curveID)
@@ -203,10 +203,10 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
 
 	// min and max protocol versions
 	if p.ProtocolMin != "" {
-		cfg.MinVersion = supportedProtocols[p.ProtocolMin]
+		cfg.MinVersion = SupportedProtocols[p.ProtocolMin]
 	}
 	if p.ProtocolMax != "" {
-		cfg.MaxVersion = supportedProtocols[p.ProtocolMax]
+		cfg.MaxVersion = SupportedProtocols[p.ProtocolMax]
 	}
 	if p.ProtocolMin > p.ProtocolMax {
 		return fmt.Errorf("protocol min (%x) cannot be greater than protocol max (%x)", p.ProtocolMin, p.ProtocolMax)
diff --git a/modules/caddytls/fileloader.go b/modules/caddytls/fileloader.go
index 5f277c8..7a0d14d 100644
--- a/modules/caddytls/fileloader.go
+++ b/modules/caddytls/fileloader.go
@@ -25,12 +25,12 @@ import (
 func init() {
 	caddy.RegisterModule(caddy.Module{
 		Name: "tls.certificates.load_files",
-		New:  func() interface{} { return fileLoader{} },
+		New:  func() interface{} { return FileLoader{} },
 	})
 }
 
-// fileLoader loads certificates and their associated keys from disk.
-type fileLoader []CertKeyFilePair
+// FileLoader loads certificates and their associated keys from disk.
+type FileLoader []CertKeyFilePair
 
 // CertKeyFilePair pairs certificate and key file names along with their
 // encoding format so that they can be loaded from disk.
@@ -42,7 +42,7 @@ type CertKeyFilePair struct {
 }
 
 // LoadCertificates returns the certificates to be loaded by fl.
-func (fl fileLoader) LoadCertificates() ([]Certificate, error) {
+func (fl FileLoader) LoadCertificates() ([]Certificate, error) {
 	var certs []Certificate
 	for _, pair := range fl {
 		certData, err := ioutil.ReadFile(pair.Certificate)
@@ -73,4 +73,4 @@ func (fl fileLoader) LoadCertificates() ([]Certificate, error) {
 }
 
 // Interface guard
-var _ CertificateLoader = (fileLoader)(nil)
+var _ CertificateLoader = (FileLoader)(nil)
diff --git a/modules/caddytls/folderloader.go b/modules/caddytls/folderloader.go
index 24a7fbb..ae7f056 100644
--- a/modules/caddytls/folderloader.go
+++ b/modules/caddytls/folderloader.go
@@ -30,20 +30,20 @@ import (
 func init() {
 	caddy.RegisterModule(caddy.Module{
 		Name: "tls.certificates.load_folders",
-		New:  func() interface{} { return folderLoader{} },
+		New:  func() interface{} { return FolderLoader{} },
 	})
 }
 
-// folderLoader loads certificates and their associated keys from disk
+// FolderLoader loads certificates and their associated keys from disk
 // by recursively walking the specified directories, looking for PEM
 // files which contain both a certificate and a key.
-type folderLoader []string
+type FolderLoader []string
 
 // LoadCertificates loads all the certificates+keys in the directories
 // listed in fl from all files ending with .pem. This method of loading
 // certificates expects the certificate and key to be bundled into the
 // same file.
-func (fl folderLoader) LoadCertificates() ([]Certificate, error) {
+func (fl FolderLoader) LoadCertificates() ([]Certificate, error) {
 	var certs []Certificate
 	for _, dir := range fl {
 		err := filepath.Walk(dir, func(fpath string, info os.FileInfo, err error) error {
@@ -135,4 +135,4 @@ func x509CertFromCertAndKeyPEMFile(fpath string) (tls.Certificate, error) {
 	return cert, nil
 }
 
-var _ CertificateLoader = (folderLoader)(nil)
+var _ CertificateLoader = (FolderLoader)(nil)
diff --git a/modules/caddytls/sessiontickets.go b/modules/caddytls/sessiontickets.go
index c47f823..2eb0773 100644
--- a/modules/caddytls/sessiontickets.go
+++ b/modules/caddytls/sessiontickets.go
@@ -29,7 +29,7 @@ import (
 // SessionTicketService configures and manages TLS session tickets.
 type SessionTicketService struct {
 	KeySource        json.RawMessage `json:"key_source,omitempty"`
-	RotationInterval caddy.Duration `json:"rotation_interval,omitempty"`
+	RotationInterval caddy.Duration  `json:"rotation_interval,omitempty"`
 	MaxKeys          int             `json:"max_keys,omitempty"`
 	DisableRotation  bool            `json:"disable_rotation,omitempty"`
 	Disabled         bool            `json:"disabled,omitempty"`
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index e70fbd1..ec16995 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -45,8 +45,8 @@ func init() {
 // TLS represents a process-wide TLS configuration.
 type TLS struct {
 	Certificates   map[string]json.RawMessage `json:"certificates,omitempty"`
-	Automation     AutomationConfig           `json:"automation,omitempty"`
-	SessionTickets SessionTicketService       `json:"session_tickets,omitempty"`
+	Automation     AutomationConfig           `json:"automation"`
+	SessionTickets SessionTicketService       `json:"session_tickets"`
 
 	certificateLoaders []CertificateLoader
 	certCache          *certmagic.Cache
@@ -105,16 +105,12 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 		onDemandRateLimiter.SetLimit(0)
 	}
 
-	return nil
-}
-
-// Start activates the TLS module.
-func (t *TLS) Start() error {
+	// load manual/static (unmanaged) certificates - we do this in
+	// provision so that other apps (such as http) can know which
+	// certificates have been manually loaded
 	magic := certmagic.New(t.certCache, certmagic.Config{
-		Storage: t.ctx.Storage(),
+		Storage: ctx.Storage(),
 	})
-
-	// load manual/static (unmanaged) certificates
 	for _, loader := range t.certificateLoaders {
 		certs, err := loader.LoadCertificates()
 		if err != nil {
@@ -128,6 +124,11 @@ func (t *TLS) Start() error {
 		}
 	}
 
+	return nil
+}
+
+// Start activates the TLS module.
+func (t *TLS) Start() error {
 	// load automated (managed) certificates
 	if automatedRawMsg, ok := t.Certificates[automateKey]; ok {
 		var names []string
@@ -204,6 +205,12 @@ func (t *TLS) getAutomationPolicyForName(name string) AutomationPolicy {
 	return AutomationPolicy{Management: mgmt}
 }
 
+// CertificatesWithSAN returns the list of all certificates
+// in the cache the match the given SAN value.
+func (t *TLS) CertificatesWithSAN(san string) []certmagic.Certificate {
+	return t.certCache.CertificatesWithSAN(san)
+}
+
 // CertificateLoader is a type that can load certificates.
 // Certificates can optionally be associated with tags.
 type CertificateLoader interface {
diff --git a/modules/caddytls/values.go b/modules/caddytls/values.go
index 0c62058..b10fe22 100644
--- a/modules/caddytls/values.go
+++ b/modules/caddytls/values.go
@@ -22,12 +22,16 @@ import (
 	"github.com/klauspost/cpuid"
 )
 
-// supportedCipherSuites is the unordered map of cipher suite
+// SupportedCipherSuites is the unordered map of cipher suite
 // string names to their definition in crypto/tls. All values
 // should be IANA-reserved names. See
 // https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
+// Two of the cipher suite constants in the standard lib do not use the
+// full IANA name, but we do; see:
+// https://github.com/golang/go/issues/32061 and
+// https://github.com/golang/go/issues/30325#issuecomment-512862374.
 // TODO: might not be needed much longer: https://github.com/golang/go/issues/30325
-var supportedCipherSuites = map[string]uint16{
+var SupportedCipherSuites = map[string]uint16{
 	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384":       tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
 	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384":         tls.TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
 	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256":       tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
@@ -84,22 +88,24 @@ func getOptimalDefaultCipherSuites() []uint16 {
 	return defaultCipherSuitesWithoutAESNI
 }
 
-// supportedCurves is the unordered map of supported curves.
+// SupportedCurves is the unordered map of supported curves.
 // https://golang.org/pkg/crypto/tls/#CurveID
-var supportedCurves = map[string]tls.CurveID{
-	"X25519": tls.X25519,
-	"P256":   tls.CurveP256,
-	"P384":   tls.CurveP384,
-	"P521":   tls.CurveP521,
+var SupportedCurves = map[string]tls.CurveID{
+	// TODO: Use IANA names, probably? see https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
+	// All named crypto/elliptic curves have secpXXXr1 IANA names.
+	"x25519": tls.X25519,    // x25519, 29
+	"p256":   tls.CurveP256, // secp256r1, 23
+	"p384":   tls.CurveP384, // secp384r1, 24
+	"p521":   tls.CurveP521, // secp521r1, 25
 }
 
 // supportedCertKeyTypes is all the key types that are supported
 // for certificates that are obtained through ACME.
 var supportedCertKeyTypes = map[string]certcrypto.KeyType{
-	"RSA2048": certcrypto.RSA2048,
-	"RSA4096": certcrypto.RSA4096,
-	"P256":    certcrypto.EC256,
-	"P384":    certcrypto.EC384,
+	"rsa_2048": certcrypto.RSA2048,
+	"rsa_4096": certcrypto.RSA4096,
+	"ec_p256":  certcrypto.EC256,
+	"ec_p384":  certcrypto.EC384,
 }
 
 // defaultCurves is the list of only the curves we want to use
@@ -115,9 +121,9 @@ var defaultCurves = []tls.CurveID{
 	tls.CurveP256,
 }
 
-// supportedProtocols is a map of supported protocols.
-// HTTP/2 only supports TLS 1.2 and higher.
-var supportedProtocols = map[string]uint16{
+// SupportedProtocols is a map of supported protocols.
+// Note that HTTP/2 only supports TLS 1.2 and higher.
+var SupportedProtocols = map[string]uint16{
 	"tls1.0": tls.VersionTLS10,
 	"tls1.1": tls.VersionTLS11,
 	"tls1.2": tls.VersionTLS12,