From 2b22d2e6ea7ffd17ae769bd8a2adae60e5a7d0bf Mon Sep 17 00:00:00 2001
From: Matthew Holt <mholt@users.noreply.github.com>
Date: Wed, 26 Jun 2019 16:03:29 -0600
Subject: Optionally enforce strict TLS SNI + HTTP Host matching, & misc.
 cleanup

We should look into a way to enable this by default when TLS client auth
is configured for a server
---
 modules/caddytls/tls.go | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

(limited to 'modules/caddytls')

diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 7f5b1e9..7b8e420 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -88,15 +88,16 @@ func (t *TLS) Provision(ctx caddy.Context) error {
 
 // Start activates the TLS module.
 func (t *TLS) Start() error {
+	magic := certmagic.New(t.certCache, certmagic.Config{
+		Storage: t.ctx.Storage(),
+	})
+
 	// load manual/static (unmanaged) certificates
 	for _, loader := range t.certificateLoaders {
 		certs, err := loader.LoadCertificates()
 		if err != nil {
 			return fmt.Errorf("loading certificates: %v", err)
 		}
-		magic := certmagic.New(t.certCache, certmagic.Config{
-			Storage: t.ctx.Storage(),
-		})
 		for _, cert := range certs {
 			err := magic.CacheUnmanagedTLSCertificate(cert.Certificate, cert.Tags)
 			if err != nil {
-- 
cgit v1.2.3