diff --git a/config/setup/tls.go b/config/setup/tls.go index 94f2e11b4..db311823c 100644 --- a/config/setup/tls.go +++ b/config/setup/tls.go @@ -53,6 +53,11 @@ func TLS(c *Controller) (middleware.Middleware, error) { } c.TLS.Ciphers = append(c.TLS.Ciphers, value) } + case "clients": + c.TLS.ClientCerts = c.RemainingArgs() + if len(c.TLS.ClientCerts) == 0 { + return nil, c.ArgErr() + } default: return nil, c.Errf("Unknown keyword '%s'") } diff --git a/config/setup/tls_test.go b/config/setup/tls_test.go index a3f02e082..04ac6cce2 100644 --- a/config/setup/tls_test.go +++ b/config/setup/tls_test.go @@ -127,3 +127,34 @@ func TestTLSParseWithWrongOptionalParams(t *testing.T) { t.Errorf("Expected errors, but no error returned") } } + +func TestTLSParseWithClientAuth(t *testing.T) { + params := `tls cert.crt cert.key { + clients client_ca.crt client2_ca.crt + }` + c := newTestController(params) + _, err := TLS(c) + if err != nil { + t.Errorf("Expected no errors, got: %v", err) + } + + if count := len(c.TLS.ClientCerts); count != 2 { + t.Fatalf("Expected two client certs, had %d", count) + } + if actual := c.TLS.ClientCerts[0]; actual != "client_ca.crt" { + t.Errorf("Expected first client cert file to be '%s', but was '%s'", "client_ca.crt", actual) + } + if actual := c.TLS.ClientCerts[1]; actual != "client2_ca.crt" { + t.Errorf("Expected second client cert file to be '%s', but was '%s'", "client2_ca.crt", actual) + } + + // Test missing client cert file + params = `tls cert.crt cert.key { + clients + }` + c = newTestController(params) + _, err = TLS(c) + if err == nil { + t.Errorf("Expected an error, but no error returned") + } +} diff --git a/server/config.go b/server/config.go index c02aec9a2..6575b7634 100644 --- a/server/config.go +++ b/server/config.go @@ -64,4 +64,5 @@ type TLSConfig struct { ProtocolMinVersion uint16 ProtocolMaxVersion uint16 PreferServerCipherSuites bool + ClientCerts []string } diff --git a/server/server.go b/server/server.go index 46e27c231..f50a26f17 100644 --- a/server/server.go +++ b/server/server.go @@ -5,7 +5,9 @@ package server import ( "crypto/tls" + "crypto/x509" "fmt" + "io/ioutil" "log" "net" "net/http" @@ -137,15 +139,53 @@ func ListenAndServeTLSWithSNI(srv *http.Server, tlsConfigs []TLSConfig) error { config.CipherSuites = tlsConfigs[0].Ciphers config.PreferServerCipherSuites = tlsConfigs[0].PreferServerCipherSuites - conn, err := net.Listen("tcp", addr) + // TLS client authentication, if user enabled it + err = setupClientAuth(tlsConfigs, config) if err != nil { return err } + // Create listener and we're on our way + conn, err := net.Listen("tcp", addr) + if err != nil { + return err + } tlsListener := tls.NewListener(conn, config) + return srv.Serve(tlsListener) } +// setupClientAuth sets up TLS client authentication only if +// any of the TLS configs specified at least one cert file. +func setupClientAuth(tlsConfigs []TLSConfig, config *tls.Config) error { + var clientAuth bool + for _, cfg := range tlsConfigs { + if len(cfg.ClientCerts) > 0 { + clientAuth = true + break + } + } + + if clientAuth { + pool := x509.NewCertPool() + for _, cfg := range tlsConfigs { + for _, caFile := range cfg.ClientCerts { + caCrt, err := ioutil.ReadFile(caFile) // Anyone that gets a cert from Matt Holt can connect + if err != nil { + return err + } + if !pool.AppendCertsFromPEM(caCrt) { + return fmt.Errorf("Error loading client certificate '%s': no certificates were successfully parsed", caFile) + } + } + } + config.ClientCAs = pool + config.ClientAuth = tls.RequireAndVerifyClientCert + } + + return nil +} + // ServeHTTP is the entry point for every request to the address that s // is bound to. It acts as a multiplexer for the requests hostname as // defined in the Host header so that the correct virtualhost