* Disable StrictHostMatching for single server configs
* Add the insecure_disable_sni_matching directive
* Do not override insecure_disable_sni_matching
* Remove comment
A random config is intended to be used only for solving TLS-ALPN
challenges; so we have to be sure to disable on-demand TLS so that
arbitrary names can't request certificates with another name's
on-demand config.
Each time the Caddyfile reloads and Caddy is restarted,
caddytls.NewConfig starts a goroutine for cleaning the
certificate storage. This goroutine ranges over a time.Ticker
channel; although Stop is called on this ticker, Stop does
not close the underlying channel so the goroutine never exits.
This change adds an additional channel that is listened to
in the certificate cleaning goroutine so it can exit
on restarts.
* caddytls: Change clustering to be a plugin to the caddytls package
Should resolve the failure in
https://github.com/coredns/coredns/pull/2541.
This change is breaking to clustering plugin developers (not Caddy
users), but logical, since only the caddytls package uses CertMagic
directly (the httpserver package also uses it, but only because it also
uses the caddytls plugin); and it is early enough that no clustering
plugins really exist yet.
This will also require a change of devportal
so that it looks for a different registration function, which has moved
to the caddytls package.
* Remove unused variable
* caddyhttp: Fix test (adjust plugin counting)
* ummmm, remove extra line break
somehow VS Code didn't fmt on save... weird.
Should resolve the failure in
https://github.com/coredns/coredns/pull/2541.
This change is breaking to clustering plugin developers (not Caddy
users), but logical, since only the caddytls package uses CertMagic
directly (the httpserver package also uses it, but only because it also
uses the caddytls plugin); and it is early enough that no clustering
plugins really exist yet.
This will also require a change of devportal
so that it looks for a different registration function, which has moved
to the caddytls package.
* caddytls: Fix empty SNI handling (new -default-sni flag)
vendor: update certmagic, needed to support this
Hopefully fixes#2451, fixes#2438, and fixes#2414
* caddytls: Don't overwrite certmagic Manager (fixes#2407)
Supersedes #2447
* vendor: Update certmagic to fix nil pointer deref and TLS-ALPN cleanup
* Improve -default-sni flag help text
All code relating to a caddytls.Config and setting it up from the
Caddyfile is still intact; only the certificate management-related
code was removed into a separate package.
I don't expect this to build in CI successfully; updating dependencies
and vendor is coming next.
I've also removed the ad-hoc, half-baked storage plugins that we need
to finish making first-class Caddy plugins (they were never documented
anyway). The new certmagic package has a much better storage interface,
and we can finally move toward making a new storage plugin type, but
it shouldn't be configurable in the Caddyfile, I think, since it doesn't
make sense for a Caddy instance to use more than one storage config...
We also have the option of eliminating DNS provider plugins and just
shipping all of lego's DNS providers by using a lego package (the
caddytls/setup.go file has a comment describing how) -- but it doubles
Caddy's binary size by 100% from about 19 MB to around 40 MB...!
* tls: Add support for the tls-alpn-01 challenge
Also updates lego/acme to latest on master.
TODO: This implementation of the tls-alpn challenge is not yet solvable
in a distributed Caddy cluster like the http challenge is.
* build: Allow building with the race detector
* tls: Support distributed solving of the TLS-ALPN-01 challenge
* Update vendor and add a todo in MITM checker
* caddytls: Raise TLS alert if no certificate matches SAN (closes#1303)
I don't love this half-baked solution to the issue raised in #1303 way
more than a year after the original issue was closed (the necro comments
are about an issue separate from the original issue that started it),
but I do like TLS alerts more than wrong certificates.
* Restore test to match
* Restore another previous test
* Adding TLS client cert placeholders
* Use function to get the peer certificate
* Changing SHA1 to SHA256
* Use UTC instead of GMT
* Adding tests
* Adding getters for Protocol and Cipher
- Introduce StrictHostMatching mode for sites that require clientauth
- Error if QUIC is enabled whilst TLS clientauth is configured
(Our QUIC implementation does not yet support TLS clientauth, but
maybe it will in the future - fixes#2095)
- Error if one but not all TLS configs for the same hostname have a
different ClientAuth CA pool
