parseTLS parses the tls directive. Syntax: tls [<email>|internal|force_automate]|[<cert_file> <key_file>] { protocols <min> [<max>] ciphers <cipher_suites...> curves <curves...> client_auth { mode [request|require|verify_if_given|require_and_veri
(h Helper)
| 116 | // renewal_window_ratio <ratio> |
| 117 | // } |
| 118 | func parseTLS(h Helper) ([]ConfigValue, error) { |
| 119 | h.Next() // consume directive name |
| 120 | |
| 121 | cp := new(caddytls.ConnectionPolicy) |
| 122 | var fileLoader caddytls.FileLoader |
| 123 | var folderLoader caddytls.FolderLoader |
| 124 | var certSelector caddytls.CustomCertSelectionPolicy |
| 125 | var acmeIssuer *caddytls.ACMEIssuer |
| 126 | var keyType string |
| 127 | var internalIssuer *caddytls.InternalIssuer |
| 128 | var issuers []certmagic.Issuer |
| 129 | var certManagers []certmagic.Manager |
| 130 | var onDemand bool |
| 131 | var reusePrivateKeys bool |
| 132 | var forceAutomate bool |
| 133 | var renewalWindowRatio float64 |
| 134 | |
| 135 | // Track which DNS challenge options are set |
| 136 | var dnsOptionsSet []string |
| 137 | |
| 138 | firstLine := h.RemainingArgs() |
| 139 | switch len(firstLine) { |
| 140 | case 0: |
| 141 | case 1: |
| 142 | if firstLine[0] == "internal" { |
| 143 | internalIssuer = new(caddytls.InternalIssuer) |
| 144 | } else if firstLine[0] == "force_automate" { |
| 145 | forceAutomate = true |
| 146 | } else if !strings.Contains(firstLine[0], "@") { |
| 147 | return nil, h.Err("single argument must either be 'internal', 'force_automate', or an email address") |
| 148 | } else { |
| 149 | acmeIssuer = &caddytls.ACMEIssuer{ |
| 150 | Email: firstLine[0], |
| 151 | } |
| 152 | } |
| 153 | |
| 154 | case 2: |
| 155 | // file certificate loader |
| 156 | certFilename := firstLine[0] |
| 157 | keyFilename := firstLine[1] |
| 158 | |
| 159 | // tag this certificate so if multiple certs match, specifically |
| 160 | // this one that the user has provided will be used, see #2588: |
| 161 | // https://github.com/caddyserver/caddy/issues/2588 ... but we |
| 162 | // must be careful about how we do this; being careless will |
| 163 | // lead to failed handshakes |
| 164 | // |
| 165 | // we need to remember which cert files we've seen, since we |
| 166 | // must load each cert only once; otherwise, they each get a |
| 167 | // different tag... since a cert loaded twice has the same |
| 168 | // bytes, it will overwrite the first one in the cache, and |
| 169 | // only the last cert (and its tag) will survive, so any conn |
| 170 | // policy that is looking for any tag other than the last one |
| 171 | // to be loaded won't find it, and TLS handshakes will fail |
| 172 | // (see end of issue #3004) |
| 173 | // |
| 174 | // tlsCertTags maps certificate filenames to their tag. |
| 175 | // This is used to remember which tag is used for each |
nothing calls this directly
no test coverage detected