summaryrefslogtreecommitdiff
path: root/modules/caddytls
diff options
context:
space:
mode:
Diffstat (limited to 'modules/caddytls')
-rw-r--r--modules/caddytls/connpolicy.go1
-rw-r--r--modules/caddytls/distributedstek/distributedstek.go7
-rw-r--r--modules/caddytls/folderloader.go20
-rw-r--r--modules/caddytls/internalissuer.go16
-rw-r--r--modules/caddytls/tls.go2
-rw-r--r--modules/caddytls/values.go1
6 files changed, 36 insertions, 11 deletions
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index 7eda002..de929cc 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -80,6 +80,7 @@ func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) *tls.Config {
}
return &tls.Config{
+ MinVersion: tls.VersionTLS12,
GetConfigForClient: func(hello *tls.ClientHelloInfo) (*tls.Config, error) {
// filter policies by SNI first, if possible, to speed things up
// when there may be lots of policies
diff --git a/modules/caddytls/distributedstek/distributedstek.go b/modules/caddytls/distributedstek/distributedstek.go
index f29db29..e76fc47 100644
--- a/modules/caddytls/distributedstek/distributedstek.go
+++ b/modules/caddytls/distributedstek/distributedstek.go
@@ -145,7 +145,12 @@ func (s *Provider) storeSTEK(dstek distributedSTEK) error {
// current STEK is outdated (NextRotation time is in the past),
// then it is rotated and persisted. The resulting STEK is returned.
func (s *Provider) getSTEK() (distributedSTEK, error) {
- s.storage.Lock(s.ctx, stekLockName)
+ err := s.storage.Lock(s.ctx, stekLockName)
+ if err != nil {
+ return distributedSTEK{}, fmt.Errorf("failed to acquire storage lock: %v", err)
+ }
+
+ //nolint:errcheck
defer s.storage.Unlock(stekLockName)
// load the current STEKs from storage
diff --git a/modules/caddytls/folderloader.go b/modules/caddytls/folderloader.go
index f1a742d..10b017e 100644
--- a/modules/caddytls/folderloader.go
+++ b/modules/caddytls/folderloader.go
@@ -97,26 +97,38 @@ func x509CertFromCertAndKeyPEMFile(fpath string) (tls.Certificate, error) {
if derBlock.Type == "CERTIFICATE" {
// Re-encode certificate as PEM, appending to certificate chain
- pem.Encode(certBuilder, derBlock)
+ err = pem.Encode(certBuilder, derBlock)
+ if err != nil {
+ return tls.Certificate{}, err
+ }
} else if derBlock.Type == "EC PARAMETERS" {
// EC keys generated from openssl can be composed of two blocks:
// parameters and key (parameter block should come first)
if !foundKey {
// Encode parameters
- pem.Encode(keyBuilder, derBlock)
+ err = pem.Encode(keyBuilder, derBlock)
+ if err != nil {
+ return tls.Certificate{}, err
+ }
// Key must immediately follow
derBlock, bundle = pem.Decode(bundle)
if derBlock == nil || derBlock.Type != "EC PRIVATE KEY" {
return tls.Certificate{}, fmt.Errorf("%s: expected elliptic private key to immediately follow EC parameters", fpath)
}
- pem.Encode(keyBuilder, derBlock)
+ err = pem.Encode(keyBuilder, derBlock)
+ if err != nil {
+ return tls.Certificate{}, err
+ }
foundKey = true
}
} else if derBlock.Type == "PRIVATE KEY" || strings.HasSuffix(derBlock.Type, " PRIVATE KEY") {
// RSA key
if !foundKey {
- pem.Encode(keyBuilder, derBlock)
+ err = pem.Encode(keyBuilder, derBlock)
+ if err != nil {
+ return tls.Certificate{}, err
+ }
foundKey = true
}
} else {
diff --git a/modules/caddytls/internalissuer.go b/modules/caddytls/internalissuer.go
index 6f228ea..416369f 100644
--- a/modules/caddytls/internalissuer.go
+++ b/modules/caddytls/internalissuer.go
@@ -27,6 +27,7 @@ import (
"github.com/caddyserver/caddy/v2/modules/caddypki"
"github.com/caddyserver/certmagic"
"github.com/smallstep/certificates/authority/provisioner"
+ "go.uber.org/zap"
)
func init() {
@@ -51,7 +52,8 @@ type InternalIssuer struct {
// validate certificate chains.
SignWithRoot bool `json:"sign_with_root,omitempty"`
- ca *caddypki.CA
+ ca *caddypki.CA
+ logger *zap.Logger
}
// CaddyModule returns the Caddy module information.
@@ -64,6 +66,8 @@ func (InternalIssuer) CaddyModule() caddy.ModuleInfo {
// Provision sets up the issuer.
func (iss *InternalIssuer) Provision(ctx caddy.Context) error {
+ iss.logger = ctx.Logger(iss)
+
// get a reference to the configured CA
appModule, err := ctx.App("pki")
if err != nil {
@@ -115,11 +119,15 @@ func (iss InternalIssuer) Issue(ctx context.Context, csr *x509.CertificateReques
// ensure issued certificate does not expire later than its issuer
lifetime := time.Duration(iss.Lifetime)
if time.Now().Add(lifetime).After(issuerCert.NotAfter) {
- // TODO: log this
- lifetime = issuerCert.NotAfter.Sub(time.Now())
+ lifetime = time.Until(issuerCert.NotAfter)
+ iss.logger.Warn("cert lifetime would exceed issuer NotAfter, clamping lifetime",
+ zap.Duration("orig_lifetime", time.Duration(iss.Lifetime)),
+ zap.Duration("lifetime", lifetime),
+ zap.Time("not_after", issuerCert.NotAfter),
+ )
}
- certChain, err := auth.Sign(csr, provisioner.SignOptions{}, customCertLifetime(iss.Lifetime))
+ certChain, err := auth.Sign(csr, provisioner.SignOptions{}, customCertLifetime(caddy.Duration(lifetime)))
if err != nil {
return nil, err
}
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 146eed4..fd3473e 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -498,8 +498,6 @@ var (
storageCleanMu sync.Mutex
)
-const automateKey = "automate"
-
// Interface guards
var (
_ caddy.App = (*TLS)(nil)
diff --git a/modules/caddytls/values.go b/modules/caddytls/values.go
index f0944a3..dea0013 100644
--- a/modules/caddytls/values.go
+++ b/modules/caddytls/values.go
@@ -122,6 +122,7 @@ var SupportedProtocols = map[string]uint16{
// unsupportedProtocols is a map of unsupported protocols.
// Used for logging only, not enforcement.
var unsupportedProtocols = map[string]uint16{
+ //nolint:staticcheck
"ssl3.0": tls.VersionSSL30,
"tls1.0": tls.VersionTLS10,
"tls1.1": tls.VersionTLS11,