diff options
Diffstat (limited to 'modules/caddytls')
-rw-r--r-- | modules/caddytls/acmeissuer.go | 2 | ||||
-rw-r--r-- | modules/caddytls/automation.go | 2 | ||||
-rw-r--r-- | modules/caddytls/connpolicy.go | 16 |
3 files changed, 17 insertions, 3 deletions
diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go index 9dfeff724..29a5954e7 100644 --- a/modules/caddytls/acmeissuer.go +++ b/modules/caddytls/acmeissuer.go @@ -28,7 +28,7 @@ import ( "github.com/caddyserver/certmagic" "github.com/caddyserver/zerossl" - "github.com/mholt/acmez/v2/acme" + "github.com/mholt/acmez/v3/acme" "go.uber.org/zap" "go.uber.org/zap/zapcore" diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go index f6a535077..1bc86020d 100644 --- a/modules/caddytls/automation.go +++ b/modules/caddytls/automation.go @@ -25,7 +25,7 @@ import ( "strings" "github.com/caddyserver/certmagic" - "github.com/mholt/acmez/v2" + "github.com/mholt/acmez/v3" "go.uber.org/zap" "go.uber.org/zap/zapcore" diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go index 9332cf2ed..d9fc6bcfe 100644 --- a/modules/caddytls/connpolicy.go +++ b/modules/caddytls/connpolicy.go @@ -26,7 +26,7 @@ import ( "os" "strings" - "github.com/mholt/acmez/v2" + "github.com/mholt/acmez/v3" "go.uber.org/zap" "go.uber.org/zap/zapcore" @@ -350,6 +350,20 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error { if err := p.ClientAuthentication.ConfigureTLSConfig(cfg); err != nil { return fmt.Errorf("configuring TLS client authentication: %v", err) } + + // Prevent privilege escalation in case multiple vhosts are configured for + // this TLS server; we could potentially figure out if that's the case, but + // that might be complex to get right every time. Actually, two proper + // solutions could leave tickets enabled, but I am not sure how to do them + // properly without significant time investment; there may be new Go + // APIs that alloaw this (Wrap/UnwrapSession?) but I do not know how to use + // them at this time. TODO: one of these is a possible future enhancement: + // A) Prevent resumptions across server identities (certificates): binding the ticket to the + // certificate we would serve in a full handshake, or even bind a ticket to the exact SNI + // it was issued under (though there are proposals for session resumption across hostnames). + // B) Prevent resumptions falsely authenticating a client: include the realm in the ticket, + // so that it can be validated upon resumption. + cfg.SessionTicketsDisabled = true } if p.InsecureSecretsLog != "" { |