MCPcopy
hub / github.com/caddyserver/caddy / ConfigureTLSConfig

Method ConfigureTLSConfig

modules/caddytls/connpolicy.go:834–891  ·  view source on GitHub ↗

ConfigureTLSConfig sets up cfg to enforce clientauth's configuration.

(cfg *tls.Config)

Source from the content-addressed store, hash-verified

832
833// ConfigureTLSConfig sets up cfg to enforce clientauth's configuration.
834func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) error {
835 // if there's no actionable client auth, simply disable it
836 if !clientauth.Active() {
837 cfg.ClientAuth = tls.NoClientCert
838 return nil
839 }
840
841 // enforce desired mode of client authentication
842 if len(clientauth.Mode) > 0 {
843 switch clientauth.Mode {
844 case "request":
845 cfg.ClientAuth = tls.RequestClientCert
846 case "require":
847 cfg.ClientAuth = tls.RequireAnyClientCert
848 case "verify_if_given":
849 cfg.ClientAuth = tls.VerifyClientCertIfGiven
850 case "require_and_verify":
851 cfg.ClientAuth = tls.RequireAndVerifyClientCert
852 default:
853 return fmt.Errorf("client auth mode not recognized: %s", clientauth.Mode)
854 }
855 } else {
856 // otherwise, set a safe default mode
857 if len(clientauth.TrustedCACerts) > 0 ||
858 len(clientauth.TrustedCACertPEMFiles) > 0 ||
859 len(clientauth.TrustedLeafCerts) > 0 ||
860 clientauth.CARaw != nil || clientauth.ca != nil {
861 cfg.ClientAuth = tls.RequireAndVerifyClientCert
862 } else {
863 cfg.ClientAuth = tls.RequireAnyClientCert
864 }
865 }
866
867 // enforce CA verification by adding CA certs to the ClientCAs pool
868 if clientauth.ca != nil {
869 cfg.ClientCAs = clientauth.ca.CertPool()
870 }
871
872 // TODO: DEPRECATED: Only here for backwards compatibility.
873 // If leaf cert is specified, enforce by adding a client auth module
874 if len(clientauth.TrustedLeafCerts) > 0 {
875 caddy.Log().Named("tls.connection_policy").Warn("trusted_leaf_certs is deprecated; use leaf verifier module instead")
876 var trustedLeafCerts []*x509.Certificate
877 for _, clientCertString := range clientauth.TrustedLeafCerts {
878 clientCert, err := decodeBase64DERCert(clientCertString)
879 if err != nil {
880 return fmt.Errorf("parsing certificate: %v", err)
881 }
882 trustedLeafCerts = append(trustedLeafCerts, clientCert)
883 }
884 clientauth.verifiers = append(clientauth.verifiers, LeafCertClientAuth{trustedLeafCerts: trustedLeafCerts})
885 }
886
887 // if a custom verification function already exists, wrap it
888 clientauth.existingVerifyPeerCert = cfg.VerifyPeerCertificate
889 cfg.VerifyConnection = clientauth.verifyConnection
890 return nil
891}

Callers 2

ListenQUICMethod · 0.80

Calls 3

ActiveMethod · 0.95
decodeBase64DERCertFunction · 0.70
CertPoolMethod · 0.65

Tested by

no test coverage detected