diff options
author | Matthew Holt <[email protected]> | 2019-06-19 16:57:32 -0600 |
---|---|---|
committer | Matthew Holt <[email protected]> | 2019-06-19 16:57:45 -0600 |
commit | 62b4553f7d14912d6bcec53068f0e176ea9065e4 (patch) | |
tree | 1e1f41bb9ef913a6ca32e7e0ca9dbab2b55f91bc | |
parent | ad20323b52b4f30449119b3e7b11b36bf0b78628 (diff) | |
download | caddy-62b4553f7d14912d6bcec53068f0e176ea9065e4.tar.gz caddy-62b4553f7d14912d6bcec53068f0e176ea9065e4.zip |
tls: Disable on-demand TLS when random config is chosen
A random config is intended to be used only for solving TLS-ALPN
challenges; so we have to be sure to disable on-demand TLS so that
arbitrary names can't request certificates with another name's
on-demand config.
-rw-r--r-- | caddytls/handshake.go | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/caddytls/handshake.go b/caddytls/handshake.go index 0cd8a15ad..5bed3adea 100644 --- a/caddytls/handshake.go +++ b/caddytls/handshake.go @@ -88,6 +88,30 @@ func (cg configGroup) getConfig(hello *tls.ClientHelloInfo) *Config { // TLS configuration for; any config will do for // this purpose for _, config := range cg { + // important! disable on-demand TLS so we don't + // try to get certificates for unrecognized names; + // this requires a careful pointer dance... first + // make shallow copies of the structs + if config.Manager != nil && config.Manager.OnDemand != nil { + cfgCopy := *config + mgrCopy := *config.Manager + tlsCfgCopy := config.tlsConfig.Clone() + + // then turn off on-demand TLS + mgrCopy.OnDemand = nil + + // then change the copies; make sure the + // GetCertificate callback is updated so + // it points to our modified config + cfgCopy.Manager = &mgrCopy + tlsCfgCopy.GetCertificate = mgrCopy.GetCertificate + cfgCopy.tlsConfig = tlsCfgCopy + + // finally, return the reconstructed config + return &cfgCopy + } + // if on-demand TLS was not enabled, we should + // be able to use this config directly return config } |