aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorRithvik Vibhu <[email protected]>2024-01-10 04:30:31 +0530
committerGitHub <[email protected]>2024-01-09 16:00:31 -0700
commited41c924cfdee562b36c86cced5571c2800348d8 (patch)
tree0028ecead0e356e7c6342aa31e4da8aa831b3558
parentd9ff7b18726e21327b21b5e30b0ebd90f9023b39 (diff)
downloadcaddy-ed41c924cfdee562b36c86cced5571c2800348d8.tar.gz
caddy-ed41c924cfdee562b36c86cced5571c2800348d8.zip
tls: add reuse_private_keys (#6025)
-rw-r--r--caddyconfig/httpcaddyfile/builtins.go16
-rw-r--r--caddyconfig/httpcaddyfile/tlsapp.go6
-rw-r--r--modules/caddytls/automation.go10
3 files changed, 32 insertions, 0 deletions
diff --git a/caddyconfig/httpcaddyfile/builtins.go b/caddyconfig/httpcaddyfile/builtins.go
index 22b2f01fa..568028388 100644
--- a/caddyconfig/httpcaddyfile/builtins.go
+++ b/caddyconfig/httpcaddyfile/builtins.go
@@ -90,6 +90,7 @@ func parseBind(h Helper) ([]ConfigValue, error) {
// dns_ttl <duration>
// dns_challenge_override_domain <domain>
// on_demand
+// reuse_private_keys
// eab <key_id> <mac_key>
// issuer <module_name> [...]
// get_certificate <module_name> [...]
@@ -106,6 +107,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
var issuers []certmagic.Issuer
var certManagers []certmagic.Manager
var onDemand bool
+ var reusePrivateKeys bool
for h.Next() {
// file certificate loader
@@ -483,6 +485,12 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
}
onDemand = true
+ case "reuse_private_keys":
+ if h.NextArg() {
+ return nil, h.ArgErr()
+ }
+ reusePrivateKeys = true
+
case "insecure_secrets_log":
if !h.NextArg() {
return nil, h.ArgErr()
@@ -589,6 +597,14 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
})
}
+ // reuse private keys TLS
+ if reusePrivateKeys {
+ configVals = append(configVals, ConfigValue{
+ Class: "tls.reuse_private_keys",
+ Value: true,
+ })
+ }
+
// custom certificate selection
if len(certSelector.AnyTag) > 0 {
cp.CertSelection = &certSelector
diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go
index cb947a6e4..1adb2b6e0 100644
--- a/caddyconfig/httpcaddyfile/tlsapp.go
+++ b/caddyconfig/httpcaddyfile/tlsapp.go
@@ -118,6 +118,11 @@ func (st ServerType) buildTLSApp(
ap.OnDemand = true
}
+ // reuse private keys tls
+ if _, ok := sblock.pile["tls.reuse_private_keys"]; ok {
+ ap.ReusePrivateKeys = true
+ }
+
if keyTypeVals, ok := sblock.pile["tls.key_type"]; ok {
ap.KeyType = keyTypeVals[0].Value.(string)
}
@@ -587,6 +592,7 @@ outer:
aps[i].MustStaple == aps[j].MustStaple &&
aps[i].KeyType == aps[j].KeyType &&
aps[i].OnDemand == aps[j].OnDemand &&
+ aps[i].ReusePrivateKeys == aps[j].ReusePrivateKeys &&
aps[i].RenewalWindowRatio == aps[j].RenewalWindowRatio {
if len(aps[i].SubjectsRaw) > 0 && len(aps[j].SubjectsRaw) == 0 {
// later policy (at j) has no subjects ("catch-all"), so we can
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go
index 6d085ee3f..72eeae76c 100644
--- a/modules/caddytls/automation.go
+++ b/modules/caddytls/automation.go
@@ -138,6 +138,15 @@ type AutomationPolicy struct {
// load. This enables On-Demand TLS for this policy.
OnDemand bool `json:"on_demand,omitempty"`
+ // If true, private keys already existing in storage
+ // will be reused. Otherwise, a new key will be
+ // created for every new certificate to mitigate
+ // pinning and reduce the scope of key compromise.
+ // TEMPORARY: Key pinning is against industry best practices.
+ // This property will likely be removed in the future.
+ // Do not rely on it forever; watch the release notes.
+ ReusePrivateKeys bool `json:"reuse_private_keys,omitempty"`
+
// Disables OCSP stapling. Disabling OCSP stapling puts clients at
// greater risk, reduces their privacy, and usually lowers client
// performance. It is NOT recommended to disable this unless you
@@ -288,6 +297,7 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
KeySource: keySource,
OnEvent: tlsApp.onEvent,
OnDemand: ond,
+ ReusePrivateKeys: ap.ReusePrivateKeys,
OCSP: certmagic.OCSPConfig{
DisableStapling: ap.DisableOCSPStapling,
ResponderOverrides: ap.OCSPOverrides,