MCPcopy
hub / github.com/caddyserver/caddy / parseTLS

Function parseTLS

caddyconfig/httpcaddyfile/builtins.go:118–634  ·  view source on GitHub ↗

parseTLS parses the tls directive. Syntax: tls [<email>|internal|force_automate]|[<cert_file> <key_file>] { protocols <min> [<max>] ciphers <cipher_suites...> curves <curves...> client_auth { mode [request|require|verify_if_given|require_and_veri

(h Helper)

Source from the content-addressed store, hash-verified

116// renewal_window_ratio <ratio>
117// }
118func parseTLS(h Helper) ([]ConfigValue, error) {
119 h.Next() // consume directive name
120
121 cp := new(caddytls.ConnectionPolicy)
122 var fileLoader caddytls.FileLoader
123 var folderLoader caddytls.FolderLoader
124 var certSelector caddytls.CustomCertSelectionPolicy
125 var acmeIssuer *caddytls.ACMEIssuer
126 var keyType string
127 var internalIssuer *caddytls.InternalIssuer
128 var issuers []certmagic.Issuer
129 var certManagers []certmagic.Manager
130 var onDemand bool
131 var reusePrivateKeys bool
132 var forceAutomate bool
133 var renewalWindowRatio float64
134
135 // Track which DNS challenge options are set
136 var dnsOptionsSet []string
137
138 firstLine := h.RemainingArgs()
139 switch len(firstLine) {
140 case 0:
141 case 1:
142 if firstLine[0] == "internal" {
143 internalIssuer = new(caddytls.InternalIssuer)
144 } else if firstLine[0] == "force_automate" {
145 forceAutomate = true
146 } else if !strings.Contains(firstLine[0], "@") {
147 return nil, h.Err("single argument must either be 'internal', 'force_automate', or an email address")
148 } else {
149 acmeIssuer = &caddytls.ACMEIssuer{
150 Email: firstLine[0],
151 }
152 }
153
154 case 2:
155 // file certificate loader
156 certFilename := firstLine[0]
157 keyFilename := firstLine[1]
158
159 // tag this certificate so if multiple certs match, specifically
160 // this one that the user has provided will be used, see #2588:
161 // https://github.com/caddyserver/caddy/issues/2588 ... but we
162 // must be careful about how we do this; being careless will
163 // lead to failed handshakes
164 //
165 // we need to remember which cert files we've seen, since we
166 // must load each cert only once; otherwise, they each get a
167 // different tag... since a cert loaded twice has the same
168 // bytes, it will overwrite the first one in the cache, and
169 // only the last cert (and its tag) will survive, so any conn
170 // policy that is looking for any tag other than the last one
171 // to be loaded won't find it, and TLS handshakes will fail
172 // (see end of issue #3004)
173 //
174 // tlsCertTags maps certificate filenames to their tag.
175 // This is used to remember which tag is used for each

Callers

nothing calls this directly

Calls 15

CipherSuiteNameSupportedFunction · 0.92
UnmarshalModuleFunction · 0.92
JSONModuleObjectFunction · 0.92
implicitACMEIssuersFunction · 0.85
RemainingArgsMethod · 0.80
ErrMethod · 0.80
ArgErrMethod · 0.80
NextBlockMethod · 0.80
ValMethod · 0.80
ErrfMethod · 0.80
NextArgMethod · 0.80
NewFromNextSegmentMethod · 0.80

Tested by

no test coverage detected