Merge pull request #706 from elcore/patch-3

tls: Customize key type with key_type
This commit is contained in:
Matt Holt 2016-04-02 13:40:49 -06:00
commit 462128cd80
3 changed files with 49 additions and 1 deletions

View File

@ -404,7 +404,7 @@ const AlternatePort = "5033"
// KeyType is the type to use for new keys.
// This shouldn't need to change except for in tests;
// the size can be drastically reduced for speed.
var KeyType = acme.EC384
var KeyType acme.KeyType
// stopChan is used to signal the maintenance goroutine
// to terminate.

View File

@ -14,6 +14,7 @@ import (
"github.com/mholt/caddy/caddy/setup"
"github.com/mholt/caddy/middleware"
"github.com/mholt/caddy/server"
"github.com/xenolf/lego/acme"
)
// Setup sets up the TLS configuration and installs certificates that
@ -51,6 +52,13 @@ func Setup(c *setup.Controller) (middleware.Middleware, error) {
for c.NextBlock() {
hadBlock = true
switch c.Val() {
case "key_type":
arg := c.RemainingArgs()
value, ok := supportedKeyTypes[strings.ToUpper(arg[0])]
if !ok {
return nil, c.Errf("Wrong KeyType name or KeyType not supported '%s'", c.Val())
}
KeyType = value
case "protocols":
args := c.RemainingArgs()
if len(args) != 2 {
@ -220,6 +228,10 @@ func loadCertsInDir(c *setup.Controller, dir string) error {
// port to 443 if not already set, TLS is enabled, TLS is manual, and the host
// does not equal localhost.
func setDefaultTLSParams(c *server.Config) {
if KeyType == "" {
KeyType = acme.RSA2048
}
// If no ciphers provided, use default list
if len(c.TLS.Ciphers) == 0 {
c.TLS.Ciphers = defaultCiphers
@ -247,6 +259,15 @@ func setDefaultTLSParams(c *server.Config) {
}
}
// Map of supported key types
var supportedKeyTypes = map[string]acme.KeyType{
"EC384": acme.EC384,
"EC256": acme.EC256,
"RSA8192": acme.RSA8192,
"RSA4096": acme.RSA4096,
"RSA2048": acme.RSA2048,
}
// Map of supported protocols.
// SSLv3 will be not supported in future release.
// HTTP/2 only supports TLS 1.2 and higher.

View File

@ -8,6 +8,7 @@ import (
"testing"
"github.com/mholt/caddy/caddy/setup"
"github.com/xenolf/lego/acme"
)
func TestMain(m *testing.M) {
@ -170,6 +171,16 @@ func TestSetupParseWithWrongOptionalParams(t *testing.T) {
if err == nil {
t.Errorf("Expected errors, but no error returned")
}
// Test key_type wrong params
params = `tls {
key_type ab123
}`
c = setup.NewTestController(params)
_, err = Setup(c)
if err == nil {
t.Errorf("Expected errors, but no error returned")
}
}
func TestSetupParseWithClientAuth(t *testing.T) {
@ -203,6 +214,22 @@ func TestSetupParseWithClientAuth(t *testing.T) {
}
}
func TestSetupParseWithKeyType(t *testing.T) {
params := `tls {
key_type ec384
}`
c := setup.NewTestController(params)
_, err := Setup(c)
if err != nil {
t.Errorf("Expected no errors, got: %v", err)
}
if KeyType != acme.EC384 {
t.Errorf("Expected 'P384' as KeyType, got %#v", KeyType)
}
}
const (
certFile = "test_cert.pem"
keyFile = "test_key.pem"