From 50961ecc77eb7e6a33f823da1d9eea6554a14b43 Mon Sep 17 00:00:00 2001
From: Alexandre Stein <astein58@gmail.com>
Date: Tue, 3 Sep 2019 17:35:36 +0200
Subject: Initial implementation of TLS client authentication (#2731)

* Add support for client TLS authentication

Signed-off-by: Alexandre Stein <alexandre_stein@interlab-net.com>

* make and use client authentication struct

* force StrictSNIHost if TLSConnPolicies is not empty

* Implement leafs verification

* Fixes issue when using multiple verification

* applies the comments from maintainers

* Apply comment

* Refactor/cleanup initial TLS client auth implementation
---
 modules/caddyhttp/caddyhttp.go | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

(limited to 'modules/caddyhttp/caddyhttp.go')

diff --git a/modules/caddyhttp/caddyhttp.go b/modules/caddyhttp/caddyhttp.go
index b4b1ec6..6d8e921 100644
--- a/modules/caddyhttp/caddyhttp.go
+++ b/modules/caddyhttp/caddyhttp.go
@@ -75,6 +75,15 @@ func (app *App) Provision(ctx caddy.Context) error {
 			srv.AutoHTTPS = new(AutoHTTPSConfig)
 		}
 
+		// disallow TLS client auth bypass which could
+		// otherwise be exploited by sending an unprotected
+		// SNI value during TLS handshake, then a protected
+		// Host header during HTTP request later on that
+		// connection
+		if srv.hasTLSClientAuth() {
+			srv.StrictSNIHost = true
+		}
+
 		// TODO: Test this function to ensure these replacements are performed
 		for i := range srv.Listen {
 			srv.Listen[i] = repl.ReplaceAll(srv.Listen[i], "")
@@ -159,8 +168,7 @@ func (app *App) Start() error {
 					return fmt.Errorf("%s: listening on %s: %v", network, addr, err)
 				}
 
-				// enable HTTP/2 (and support for solving the
-				// TLS-ALPN ACME challenge) by default
+				// enable HTTP/2 by default
 				for _, pol := range srv.TLSConnPolicies {
 					if len(pol.ALPN) == 0 {
 						pol.ALPN = append(pol.ALPN, defaultALPN...)
@@ -294,11 +302,11 @@ func (app *App) automaticHTTPS() error {
 				return fmt.Errorf("%s: managing certificate for %s: %s", srvName, domains, err)
 			}
 
-			// tell the server to use TLS by specifying a TLS
-			// connection policy (which supports HTTP/2 and the
-			// TLS-ALPN ACME challenge as well)
-			srv.TLSConnPolicies = caddytls.ConnectionPolicies{
-				{ALPN: defaultALPN},
+			// tell the server to use TLS if it is not already doing so
+			if srv.TLSConnPolicies == nil {
+				srv.TLSConnPolicies = caddytls.ConnectionPolicies{
+					&caddytls.ConnectionPolicy{ALPN: defaultALPN},
+				}
 			}
 
 			if srv.AutoHTTPS.DisableRedir {
-- 
cgit v1.2.3