Infrastructure/caddy
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-01-27 23:03:37 -05:00
Code Issues Activity

Add support for OCSP Must-Staple for Let's Encrypt certs (#1221)

Browse source 
* Fix Caddytls

* Let the user decide

* Address comments
This commit is contained in:
elcore 2016-10-29 16:44:49 +02:00 committed by Matt Holt
parent 23f89f30e9
commit 53e117802f
4 changed files with 12 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
caddytls/client.go
View file

@ -197,7 +197,7 @@ Attempts:
for attempts := 0; attempts < 2; attempts++ { for attempts := 0; attempts < 2; attempts++ {
namesObtaining.Add([]string{name}) namesObtaining.Add([]string{name})
acmeMu.Lock() acmeMu.Lock()
certificate, failures := c.acmeClient.ObtainCertificate([]string{name}, true, nil) certificate, failures := c.acmeClient.ObtainCertificate([]string{name}, true, nil, c.config.MustStaple)
acmeMu.Unlock() acmeMu.Unlock()
namesObtaining.Remove([]string{name}) namesObtaining.Remove([]string{name})
if len(failures) > 0 { if len(failures) > 0 {
@ -285,7 +285,7 @@ func (c *ACMEClient) Renew(name string) error {
for attempts := 0; attempts < 2; attempts++ { for attempts := 0; attempts < 2; attempts++ {
namesObtaining.Add([]string{name}) namesObtaining.Add([]string{name})
acmeMu.Lock() acmeMu.Lock()
newCertMeta, err = c.acmeClient.RenewCertificate(certMeta, true) newCertMeta, err = c.acmeClient.RenewCertificate(certMeta, true, c.config.MustStaple)
acmeMu.Unlock() acmeMu.Unlock()
namesObtaining.Remove([]string{name}) namesObtaining.Remove([]string{name})
if err == nil { if err == nil {

3
caddytls/config.go
View file

@ -105,6 +105,9 @@ type Config struct {
// The state needed to operate on-demand TLS // The state needed to operate on-demand TLS
OnDemandState OnDemandState OnDemandState OnDemandState
// Add the must staple TLS extension to the CSR generated by lego/acme
MustStaple bool
} }
// OnDemandState contains some state relevant for providing // OnDemandState contains some state relevant for providing

2
caddytls/setup.go
View file

@ -164,6 +164,8 @@ func setupTLS(c *caddy.Controller) error {
return c.Errf("Unsupported Storage provider '%s'", args[0]) return c.Errf("Unsupported Storage provider '%s'", args[0])
} }
config.StorageProvider = args[0] config.StorageProvider = args[0]
case "muststaple":
config.MustStaple = true
default: default:
return c.Errf("Unknown keyword '%s'", c.Val()) return c.Errf("Unknown keyword '%s'", c.Val())
} }

5
caddytls/setup_test.go
View file

@ -103,6 +103,7 @@ func TestSetupParseWithOptionalParams(t *testing.T) {
params := `tls ` + certFile + ` ` + keyFile + ` { params := `tls ` + certFile + ` ` + keyFile + ` {
protocols tls1.0 tls1.2 protocols tls1.0 tls1.2
ciphers RSA-AES256-CBC-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ciphers RSA-AES256-CBC-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384
muststaple
}` }`
cfg := new(Config) cfg := new(Config)
RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg }) RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg })
@ -124,6 +125,10 @@ func TestSetupParseWithOptionalParams(t *testing.T) {
if len(cfg.Ciphers)-1 != 3 { if len(cfg.Ciphers)-1 != 3 {
t.Errorf("Expected 3 Ciphers (not including TLS_FALLBACK_SCSV), got %v", len(cfg.Ciphers)-1) t.Errorf("Expected 3 Ciphers (not including TLS_FALLBACK_SCSV), got %v", len(cfg.Ciphers)-1)
} }
if !cfg.MustStaple {
t.Errorf("Expected must staple to be true")
}
} }
func TestSetupDefaultWithOptionalParams(t *testing.T) { func TestSetupDefaultWithOptionalParams(t *testing.T) {