From 6ea121ddf8c5be6de892971782d6f0fe2938ebbf Mon Sep 17 00:00:00 2001
From: Matthew Holt <mholt@users.noreply.github.com>
Date: Fri, 13 Dec 2019 16:32:27 -0700
Subject: tls: Ensure conn policy is created when providing certs in Caddyfile

Fixes #2929
---
 caddyconfig/httpcaddyfile/builtins.go | 39 ++++++++++++++++++++++++++++-------
 1 file changed, 32 insertions(+), 7 deletions(-)

(limited to 'caddyconfig/httpcaddyfile/builtins.go')

diff --git a/caddyconfig/httpcaddyfile/builtins.go b/caddyconfig/httpcaddyfile/builtins.go
index e92aa9d..b523d95 100644
--- a/caddyconfig/httpcaddyfile/builtins.go
+++ b/caddyconfig/httpcaddyfile/builtins.go
@@ -81,7 +81,7 @@ func parseRoot(h Helper) ([]ConfigValue, error) {
 func parseTLS(h Helper) ([]ConfigValue, error) {
 	var configVals []ConfigValue
 
-	cp := new(caddytls.ConnectionPolicy)
+	var cp *caddytls.ConnectionPolicy
 	var fileLoader caddytls.FileLoader
 	var folderLoader caddytls.FolderLoader
 	var mgr caddytls.ACMEManagerMaker
@@ -131,12 +131,18 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 					if _, ok := caddytls.SupportedProtocols[args[0]]; !ok {
 						return nil, h.Errf("Wrong protocol name or protocol not supported: '%s'", args[0])
 					}
+					if cp == nil {
+						cp = new(caddytls.ConnectionPolicy)
+					}
 					cp.ProtocolMin = args[0]
 				}
 				if len(args) > 1 {
 					if _, ok := caddytls.SupportedProtocols[args[1]]; !ok {
 						return nil, h.Errf("Wrong protocol name or protocol not supported: '%s'", args[1])
 					}
+					if cp == nil {
+						cp = new(caddytls.ConnectionPolicy)
+					}
 					cp.ProtocolMax = args[1]
 				}
 			case "ciphers":
@@ -144,6 +150,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 					if _, ok := caddytls.SupportedCipherSuites[h.Val()]; !ok {
 						return nil, h.Errf("Wrong cipher suite name or cipher suite not supported: '%s'", h.Val())
 					}
+					if cp == nil {
+						cp = new(caddytls.ConnectionPolicy)
+					}
 					cp.CipherSuites = append(cp.CipherSuites, h.Val())
 				}
 			case "curves":
@@ -151,6 +160,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 					if _, ok := caddytls.SupportedCurves[h.Val()]; !ok {
 						return nil, h.Errf("Wrong curve name or curve not supported: '%s'", h.Val())
 					}
+					if cp == nil {
+						cp = new(caddytls.ConnectionPolicy)
+					}
 					cp.Curves = append(cp.Curves, h.Val())
 				}
 			case "alpn":
@@ -158,6 +170,9 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 				if len(args) == 0 {
 					return nil, h.ArgErr()
 				}
+				if cp == nil {
+					cp = new(caddytls.ConnectionPolicy)
+				}
 				cp.ALPN = args
 
 			// certificate folder loader
@@ -183,24 +198,34 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
 		}
 	}
 
-	// connection policy
-	configVals = append(configVals, ConfigValue{
-		Class: "tls.connection_policy",
-		Value: cp,
-	})
-
 	// certificate loaders
 	if len(fileLoader) > 0 {
 		configVals = append(configVals, ConfigValue{
 			Class: "tls.certificate_loader",
 			Value: fileLoader,
 		})
+		// ensure server uses HTTPS by setting non-nil conn policy
+		if cp == nil {
+			cp = new(caddytls.ConnectionPolicy)
+		}
 	}
 	if len(folderLoader) > 0 {
 		configVals = append(configVals, ConfigValue{
 			Class: "tls.certificate_loader",
 			Value: folderLoader,
 		})
+		// ensure server uses HTTPS by setting non-nil conn policy
+		if cp == nil {
+			cp = new(caddytls.ConnectionPolicy)
+		}
+	}
+
+	// connection policy
+	if cp != nil {
+		configVals = append(configVals, ConfigValue{
+			Class: "tls.connection_policy",
+			Value: cp,
+		})
 	}
 
 	// automation policy
-- 
cgit v1.2.3