aboutsummaryrefslogtreecommitdiffhomepage
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to 'modules')
-rw-r--r--modules/caddytls/acmeissuer.go2
-rw-r--r--modules/caddytls/automation.go2
-rw-r--r--modules/caddytls/connpolicy.go16
3 files changed, 17 insertions, 3 deletions
diff --git a/modules/caddytls/acmeissuer.go b/modules/caddytls/acmeissuer.go
index 9dfeff724..29a5954e7 100644
--- a/modules/caddytls/acmeissuer.go
+++ b/modules/caddytls/acmeissuer.go
@@ -28,7 +28,7 @@ import (
"github.com/caddyserver/certmagic"
"github.com/caddyserver/zerossl"
- "github.com/mholt/acmez/v2/acme"
+ "github.com/mholt/acmez/v3/acme"
"go.uber.org/zap"
"go.uber.org/zap/zapcore"
diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go
index f6a535077..1bc86020d 100644
--- a/modules/caddytls/automation.go
+++ b/modules/caddytls/automation.go
@@ -25,7 +25,7 @@ import (
"strings"
"github.com/caddyserver/certmagic"
- "github.com/mholt/acmez/v2"
+ "github.com/mholt/acmez/v3"
"go.uber.org/zap"
"go.uber.org/zap/zapcore"
diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index 9332cf2ed..d9fc6bcfe 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -26,7 +26,7 @@ import (
"os"
"strings"
- "github.com/mholt/acmez/v2"
+ "github.com/mholt/acmez/v3"
"go.uber.org/zap"
"go.uber.org/zap/zapcore"
@@ -350,6 +350,20 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
if err := p.ClientAuthentication.ConfigureTLSConfig(cfg); err != nil {
return fmt.Errorf("configuring TLS client authentication: %v", err)
}
+
+ // Prevent privilege escalation in case multiple vhosts are configured for
+ // this TLS server; we could potentially figure out if that's the case, but
+ // that might be complex to get right every time. Actually, two proper
+ // solutions could leave tickets enabled, but I am not sure how to do them
+ // properly without significant time investment; there may be new Go
+ // APIs that alloaw this (Wrap/UnwrapSession?) but I do not know how to use
+ // them at this time. TODO: one of these is a possible future enhancement:
+ // A) Prevent resumptions across server identities (certificates): binding the ticket to the
+ // certificate we would serve in a full handshake, or even bind a ticket to the exact SNI
+ // it was issued under (though there are proposals for session resumption across hostnames).
+ // B) Prevent resumptions falsely authenticating a client: include the realm in the ticket,
+ // so that it can be validated upon resumption.
+ cfg.SessionTicketsDisabled = true
}
if p.InsecureSecretsLog != "" {