aboutsummaryrefslogtreecommitdiffhomepage
path: root/modules/caddytls
diff options
context:
space:
mode:
Diffstat (limited to 'modules/caddytls')
-rw-r--r--modules/caddytls/acmeissuer.go2
-rw-r--r--modules/caddytls/automation.go2
-rw-r--r--modules/caddytls/connpolicy.go25
-rw-r--r--modules/caddytls/ondemand.go2
-rw-r--r--modules/caddytls/tls.go17
5 files changed, 38 insertions, 10 deletions
diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go
index 9dfeff724..29a5954e7 100644
--- a/modules/caddytls/acmeissuer.go
+++ b/modules/caddytls/acmeissuer.go
@@ -28,7 +28,7 @@ import (
"github.com/caddyserver/certmagic"
"github.com/caddyserver/zerossl"
- "github.com/mholt/acmez/v2/acme"
+ "github.com/mholt/acmez/v3/acme"
"go.uber.org/zap"
"go.uber.org/zap/zapcore"
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go
index f6a535077..1bc86020d 100644
--- a/modules/caddytls/automation.go
+++ b/modules/caddytls/automation.go
@@ -25,7 +25,7 @@ import (
"strings"
"github.com/caddyserver/certmagic"
- "github.com/mholt/acmez/v2"
+ "github.com/mholt/acmez/v3"
"go.uber.org/zap"
"go.uber.org/zap/zapcore"
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index f415fffa0..d9fc6bcfe 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -24,10 +24,9 @@ import (
"fmt"
"io"
"os"
- "path/filepath"
"strings"
- "github.com/mholt/acmez/v2"
+ "github.com/mholt/acmez/v3"
"go.uber.org/zap"
"go.uber.org/zap/zapcore"
@@ -351,6 +350,20 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
if err := p.ClientAuthentication.ConfigureTLSConfig(cfg); err != nil {
return fmt.Errorf("configuring TLS client authentication: %v", err)
}
+
+ // Prevent privilege escalation in case multiple vhosts are configured for
+ // this TLS server; we could potentially figure out if that's the case, but
+ // that might be complex to get right every time. Actually, two proper
+ // solutions could leave tickets enabled, but I am not sure how to do them
+ // properly without significant time investment; there may be new Go
+ // APIs that alloaw this (Wrap/UnwrapSession?) but I do not know how to use
+ // them at this time. TODO: one of these is a possible future enhancement:
+ // A) Prevent resumptions across server identities (certificates): binding the ticket to the
+ // certificate we would serve in a full handshake, or even bind a ticket to the exact SNI
+ // it was issued under (though there are proposals for session resumption across hostnames).
+ // B) Prevent resumptions falsely authenticating a client: include the realm in the ticket,
+ // so that it can be validated upon resumption.
+ cfg.SessionTicketsDisabled = true
}
if p.InsecureSecretsLog != "" {
@@ -358,7 +371,7 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
if err != nil {
return err
}
- filename, err = filepath.Abs(filename)
+ filename, err = caddy.FastAbs(filename)
if err != nil {
return err
}
@@ -535,21 +548,21 @@ type ClientAuthentication struct {
CARaw json.RawMessage `json:"ca,omitempty" caddy:"namespace=tls.ca_pool.source inline_key=provider"`
ca CA
- // DEPRECATED: Use the `ca` field with the `tls.ca_pool.source.inline` module instead.
+ // Deprecated: Use the `ca` field with the `tls.ca_pool.source.inline` module instead.
// A list of base64 DER-encoded CA certificates
// against which to validate client certificates.
// Client certs which are not signed by any of
// these CAs will be rejected.
TrustedCACerts []string `json:"trusted_ca_certs,omitempty"`
- // DEPRECATED: Use the `ca` field with the `tls.ca_pool.source.file` module instead.
+ // Deprecated: Use the `ca` field with the `tls.ca_pool.source.file` module instead.
// TrustedCACertPEMFiles is a list of PEM file names
// from which to load certificates of trusted CAs.
// Client certificates which are not signed by any of
// these CA certificates will be rejected.
TrustedCACertPEMFiles []string `json:"trusted_ca_certs_pem_files,omitempty"`
- // DEPRECATED: This field is deprecated and will be removed in
+ // Deprecated: This field is deprecated and will be removed in
// a future version. Please use the `validators` field instead
// with the tls.client_auth.verifier.leaf module instead.
//
diff --git a/modules/caddytls/ondemand.go b/modules/caddytls/ondemand.go
index 066473cd9..0970234ce 100644
--- a/modules/caddytls/ondemand.go
+++ b/modules/caddytls/ondemand.go
@@ -42,7 +42,7 @@ func init() {
// to your application whether a particular domain is allowed
// to have a certificate issued for it.
type OnDemandConfig struct {
- // DEPRECATED. WILL BE REMOVED SOON. Use 'permission' instead with the `http` module.
+ // Deprecated. WILL BE REMOVED SOON. Use 'permission' instead with the `http` module.
Ask string `json:"ask,omitempty"`
// REQUIRED. A module that will determine whether a
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 6e660dea8..abb519eb7 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -92,6 +92,17 @@ type TLS struct {
// EXPERIMENTAL. Subject to change.
DisableStorageCheck bool `json:"disable_storage_check,omitempty"`
+ // Disables the automatic cleanup of the storage backend.
+ // This is useful when TLS is not being used to store certificates
+ // and the user wants run their server in a read-only mode.
+ //
+ // Storage cleaning creates two files: instance.uuid and last_clean.json.
+ // The instance.uuid file is used to identify the instance of Caddy
+ // in a cluster. The last_clean.json file is used to store the last
+ // time the storage was cleaned.
+ // EXPERIMENTAL. Subject to change.
+ DisableStorageClean bool `json:"disable_storage_clean,omitempty"`
+
certificateLoaders []CertificateLoader
automateNames []string
ctx caddy.Context
@@ -328,7 +339,11 @@ func (t *TLS) Start() error {
return fmt.Errorf("automate: managing %v: %v", t.automateNames, err)
}
- t.keepStorageClean()
+ if !t.DisableStorageClean {
+ // start the storage cleaner goroutine and ticker,
+ // which cleans out expired certificates and more
+ t.keepStorageClean()
+ }
return nil
}