diff --git a/caddy/https/https.go b/caddy/https/https.go index 76e5e3129..83e5a52e8 100644 --- a/caddy/https/https.go +++ b/caddy/https/https.go @@ -404,7 +404,7 @@ const AlternatePort = "5033" // KeyType is the type to use for new keys. // This shouldn't need to change except for in tests; // the size can be drastically reduced for speed. -var KeyType = acme.EC384 +var KeyType acme.KeyType // stopChan is used to signal the maintenance goroutine // to terminate. diff --git a/caddy/https/setup.go b/caddy/https/setup.go index 566bc94e6..ac1f7da30 100644 --- a/caddy/https/setup.go +++ b/caddy/https/setup.go @@ -14,6 +14,7 @@ import ( "github.com/mholt/caddy/caddy/setup" "github.com/mholt/caddy/middleware" "github.com/mholt/caddy/server" + "github.com/xenolf/lego/acme" ) // Setup sets up the TLS configuration and installs certificates that @@ -51,6 +52,13 @@ func Setup(c *setup.Controller) (middleware.Middleware, error) { for c.NextBlock() { hadBlock = true switch c.Val() { + case "key_type": + arg := c.RemainingArgs() + value, ok := supportedKeyTypes[strings.ToUpper(arg[0])] + if !ok { + return nil, c.Errf("Wrong KeyType name or KeyType not supported '%s'", c.Val()) + } + KeyType = value case "protocols": args := c.RemainingArgs() if len(args) != 2 { @@ -220,6 +228,10 @@ func loadCertsInDir(c *setup.Controller, dir string) error { // port to 443 if not already set, TLS is enabled, TLS is manual, and the host // does not equal localhost. func setDefaultTLSParams(c *server.Config) { + if KeyType == "" { + KeyType = acme.RSA2048 + } + // If no ciphers provided, use default list if len(c.TLS.Ciphers) == 0 { c.TLS.Ciphers = defaultCiphers @@ -247,6 +259,15 @@ func setDefaultTLSParams(c *server.Config) { } } +// Map of supported key types +var supportedKeyTypes = map[string]acme.KeyType{ + "EC384": acme.EC384, + "EC256": acme.EC256, + "RSA8192": acme.RSA8192, + "RSA4096": acme.RSA4096, + "RSA2048": acme.RSA2048, +} + // Map of supported protocols. // SSLv3 will be not supported in future release. // HTTP/2 only supports TLS 1.2 and higher. diff --git a/caddy/https/setup_test.go b/caddy/https/setup_test.go index 047ccd57e..220cb0bcc 100644 --- a/caddy/https/setup_test.go +++ b/caddy/https/setup_test.go @@ -8,6 +8,7 @@ import ( "testing" "github.com/mholt/caddy/caddy/setup" + "github.com/xenolf/lego/acme" ) func TestMain(m *testing.M) { @@ -170,6 +171,16 @@ func TestSetupParseWithWrongOptionalParams(t *testing.T) { if err == nil { t.Errorf("Expected errors, but no error returned") } + + // Test key_type wrong params + params = `tls { + key_type ab123 + }` + c = setup.NewTestController(params) + _, err = Setup(c) + if err == nil { + t.Errorf("Expected errors, but no error returned") + } } func TestSetupParseWithClientAuth(t *testing.T) { @@ -203,6 +214,22 @@ func TestSetupParseWithClientAuth(t *testing.T) { } } +func TestSetupParseWithKeyType(t *testing.T) { + params := `tls { + key_type ec384 + }` + c := setup.NewTestController(params) + + _, err := Setup(c) + if err != nil { + t.Errorf("Expected no errors, got: %v", err) + } + + if KeyType != acme.EC384 { + t.Errorf("Expected 'P384' as KeyType, got %#v", KeyType) + } +} + const ( certFile = "test_cert.pem" keyFile = "test_key.pem"