diff options
author | Matthew Holt <[email protected]> | 2024-12-19 12:17:02 -0700 |
---|---|---|
committer | Matthew Holt <[email protected]> | 2024-12-19 12:17:07 -0700 |
commit | ed1c594cdbddf89829eaf1174f414028577b432d (patch) | |
tree | 917b260acf9d1a9851134cf90a6386017875a73f /modules/caddytls/connpolicy.go | |
parent | 66c80caf236e2d98e61bf1bc8bb062d7b8c25430 (diff) | |
download | caddy-ed1c594cdbddf89829eaf1174f414028577b432d.tar.gz caddy-ed1c594cdbddf89829eaf1174f414028577b432d.zip |
go.mod: Upgrade ACMEz to v3; and upgrade CertMagic
Diffstat (limited to 'modules/caddytls/connpolicy.go')
-rw-r--r-- | modules/caddytls/connpolicy.go | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go index 9332cf2ed..d9fc6bcfe 100644 --- a/modules/caddytls/connpolicy.go +++ b/modules/caddytls/connpolicy.go @@ -26,7 +26,7 @@ import ( "os" "strings" - "github.com/mholt/acmez/v2" + "github.com/mholt/acmez/v3" "go.uber.org/zap" "go.uber.org/zap/zapcore" @@ -350,6 +350,20 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error { if err := p.ClientAuthentication.ConfigureTLSConfig(cfg); err != nil { return fmt.Errorf("configuring TLS client authentication: %v", err) } + + // Prevent privilege escalation in case multiple vhosts are configured for + // this TLS server; we could potentially figure out if that's the case, but + // that might be complex to get right every time. Actually, two proper + // solutions could leave tickets enabled, but I am not sure how to do them + // properly without significant time investment; there may be new Go + // APIs that alloaw this (Wrap/UnwrapSession?) but I do not know how to use + // them at this time. TODO: one of these is a possible future enhancement: + // A) Prevent resumptions across server identities (certificates): binding the ticket to the + // certificate we would serve in a full handshake, or even bind a ticket to the exact SNI + // it was issued under (though there are proposals for session resumption across hostnames). + // B) Prevent resumptions falsely authenticating a client: include the realm in the ticket, + // so that it can be validated upon resumption. + cfg.SessionTicketsDisabled = true } if p.InsecureSecretsLog != "" { |