mirror of
https://github.com/caddyserver/caddy.git
synced 2024-12-01 21:24:23 +08:00
tls: Prevent Go stdlib from overwriting our very first tls ticket key (#785)
[1]57e459e02b/src/crypto/tls/common.go (L424)
[2]57e459e02b/src/crypto/tls/common.go (L392-L407)
[2] has overwritten the first tls ticket key on round N=0, that has previously been written using [1]. Go's stdlib does not use c.sessionTicketKeys≥1 as indicator if those values had already been set; initializing that lone SessionTicketKey does the job for for now. If c.serverInit() were called in round N+1 all existing tls ticket keys would be overwritten (in round N<4 except the very first one, of course). As member variables of tls.Config are read-only by then, we cannot keep updating SessionTicketKey as well. This has been escalated to Go's authors with golang/go#15421 here: https://github.com/golang/go/issues/15421 Thanks to Matthew Holt for the initial report!
This commit is contained in:
parent
5c96ee1d9c
commit
6f5cff5393
|
@ -445,6 +445,7 @@ func standaloneTLSTicketKeyRotation(c *tls.Config, timer *time.Ticker, exitChan
|
||||||
c.SessionTicketsDisabled = true // bail if we don't have the entropy for the first one
|
c.SessionTicketsDisabled = true // bail if we don't have the entropy for the first one
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
c.SessionTicketKey = keys[0] // SetSessionTicketKeys doesn't set a 'tls.keysAlreadSet'
|
||||||
c.SetSessionTicketKeys(setSessionTicketKeysTestHook(keys))
|
c.SetSessionTicketKeys(setSessionTicketKeysTestHook(keys))
|
||||||
|
|
||||||
for {
|
for {
|
||||||
|
|
Loading…
Reference in New Issue
Block a user