aboutsummaryrefslogtreecommitdiffhomepage
path: root/modules/caddytls/connpolicy.go
diff options
context:
space:
mode:
Diffstat (limited to 'modules/caddytls/connpolicy.go')
-rw-r--r--modules/caddytls/connpolicy.go25
1 files changed, 19 insertions, 6 deletions
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index f415fffa0..d9fc6bcfe 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -24,10 +24,9 @@ import (
"fmt"
"io"
"os"
- "path/filepath"
"strings"
- "github.com/mholt/acmez/v2"
+ "github.com/mholt/acmez/v3"
"go.uber.org/zap"
"go.uber.org/zap/zapcore"
@@ -351,6 +350,20 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
if err := p.ClientAuthentication.ConfigureTLSConfig(cfg); err != nil {
return fmt.Errorf("configuring TLS client authentication: %v", err)
}
+
+ // Prevent privilege escalation in case multiple vhosts are configured for
+ // this TLS server; we could potentially figure out if that's the case, but
+ // that might be complex to get right every time. Actually, two proper
+ // solutions could leave tickets enabled, but I am not sure how to do them
+ // properly without significant time investment; there may be new Go
+ // APIs that alloaw this (Wrap/UnwrapSession?) but I do not know how to use
+ // them at this time. TODO: one of these is a possible future enhancement:
+ // A) Prevent resumptions across server identities (certificates): binding the ticket to the
+ // certificate we would serve in a full handshake, or even bind a ticket to the exact SNI
+ // it was issued under (though there are proposals for session resumption across hostnames).
+ // B) Prevent resumptions falsely authenticating a client: include the realm in the ticket,
+ // so that it can be validated upon resumption.
+ cfg.SessionTicketsDisabled = true
}
if p.InsecureSecretsLog != "" {
@@ -358,7 +371,7 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
if err != nil {
return err
}
- filename, err = filepath.Abs(filename)
+ filename, err = caddy.FastAbs(filename)
if err != nil {
return err
}
@@ -535,21 +548,21 @@ type ClientAuthentication struct {
CARaw json.RawMessage `json:"ca,omitempty" caddy:"namespace=tls.ca_pool.source inline_key=provider"`
ca CA
- // DEPRECATED: Use the `ca` field with the `tls.ca_pool.source.inline` module instead.
+ // Deprecated: Use the `ca` field with the `tls.ca_pool.source.inline` module instead.
// A list of base64 DER-encoded CA certificates
// against which to validate client certificates.
// Client certs which are not signed by any of
// these CAs will be rejected.
TrustedCACerts []string `json:"trusted_ca_certs,omitempty"`
- // DEPRECATED: Use the `ca` field with the `tls.ca_pool.source.file` module instead.
+ // Deprecated: Use the `ca` field with the `tls.ca_pool.source.file` module instead.
// TrustedCACertPEMFiles is a list of PEM file names
// from which to load certificates of trusted CAs.
// Client certificates which are not signed by any of
// these CA certificates will be rejected.
TrustedCACertPEMFiles []string `json:"trusted_ca_certs_pem_files,omitempty"`
- // DEPRECATED: This field is deprecated and will be removed in
+ // Deprecated: This field is deprecated and will be removed in
// a future version. Please use the `validators` field instead
// with the tls.client_auth.verifier.leaf module instead.
//