summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorMatthew Holt <[email protected]>2019-06-19 16:57:32 -0600
committerMatthew Holt <[email protected]>2019-06-19 16:57:45 -0600
commit62b4553f7d14912d6bcec53068f0e176ea9065e4 (patch)
tree1e1f41bb9ef913a6ca32e7e0ca9dbab2b55f91bc
parentad20323b52b4f30449119b3e7b11b36bf0b78628 (diff)
downloadcaddy-62b4553f7d14912d6bcec53068f0e176ea9065e4.tar.gz
caddy-62b4553f7d14912d6bcec53068f0e176ea9065e4.zip
tls: Disable on-demand TLS when random config is chosen
A random config is intended to be used only for solving TLS-ALPN challenges; so we have to be sure to disable on-demand TLS so that arbitrary names can't request certificates with another name's on-demand config.
-rw-r--r--caddytls/handshake.go24
1 files changed, 24 insertions, 0 deletions
diff --git a/caddytls/handshake.go b/caddytls/handshake.go
index 0cd8a15ad..5bed3adea 100644
--- a/caddytls/handshake.go
+++ b/caddytls/handshake.go
@@ -88,6 +88,30 @@ func (cg configGroup) getConfig(hello *tls.ClientHelloInfo) *Config {
// TLS configuration for; any config will do for
// this purpose
for _, config := range cg {
+ // important! disable on-demand TLS so we don't
+ // try to get certificates for unrecognized names;
+ // this requires a careful pointer dance... first
+ // make shallow copies of the structs
+ if config.Manager != nil && config.Manager.OnDemand != nil {
+ cfgCopy := *config
+ mgrCopy := *config.Manager
+ tlsCfgCopy := config.tlsConfig.Clone()
+
+ // then turn off on-demand TLS
+ mgrCopy.OnDemand = nil
+
+ // then change the copies; make sure the
+ // GetCertificate callback is updated so
+ // it points to our modified config
+ cfgCopy.Manager = &mgrCopy
+ tlsCfgCopy.GetCertificate = mgrCopy.GetCertificate
+ cfgCopy.tlsConfig = tlsCfgCopy
+
+ // finally, return the reconstructed config
+ return &cfgCopy
+ }
+ // if on-demand TLS was not enabled, we should
+ // be able to use this config directly
return config
}