ConfigureTLSConfig sets up cfg to enforce clientauth's configuration.
(cfg *tls.Config)
| 832 | |
| 833 | // ConfigureTLSConfig sets up cfg to enforce clientauth's configuration. |
| 834 | func (clientauth *ClientAuthentication) ConfigureTLSConfig(cfg *tls.Config) error { |
| 835 | // if there's no actionable client auth, simply disable it |
| 836 | if !clientauth.Active() { |
| 837 | cfg.ClientAuth = tls.NoClientCert |
| 838 | return nil |
| 839 | } |
| 840 | |
| 841 | // enforce desired mode of client authentication |
| 842 | if len(clientauth.Mode) > 0 { |
| 843 | switch clientauth.Mode { |
| 844 | case "request": |
| 845 | cfg.ClientAuth = tls.RequestClientCert |
| 846 | case "require": |
| 847 | cfg.ClientAuth = tls.RequireAnyClientCert |
| 848 | case "verify_if_given": |
| 849 | cfg.ClientAuth = tls.VerifyClientCertIfGiven |
| 850 | case "require_and_verify": |
| 851 | cfg.ClientAuth = tls.RequireAndVerifyClientCert |
| 852 | default: |
| 853 | return fmt.Errorf("client auth mode not recognized: %s", clientauth.Mode) |
| 854 | } |
| 855 | } else { |
| 856 | // otherwise, set a safe default mode |
| 857 | if len(clientauth.TrustedCACerts) > 0 || |
| 858 | len(clientauth.TrustedCACertPEMFiles) > 0 || |
| 859 | len(clientauth.TrustedLeafCerts) > 0 || |
| 860 | clientauth.CARaw != nil || clientauth.ca != nil { |
| 861 | cfg.ClientAuth = tls.RequireAndVerifyClientCert |
| 862 | } else { |
| 863 | cfg.ClientAuth = tls.RequireAnyClientCert |
| 864 | } |
| 865 | } |
| 866 | |
| 867 | // enforce CA verification by adding CA certs to the ClientCAs pool |
| 868 | if clientauth.ca != nil { |
| 869 | cfg.ClientCAs = clientauth.ca.CertPool() |
| 870 | } |
| 871 | |
| 872 | // TODO: DEPRECATED: Only here for backwards compatibility. |
| 873 | // If leaf cert is specified, enforce by adding a client auth module |
| 874 | if len(clientauth.TrustedLeafCerts) > 0 { |
| 875 | caddy.Log().Named("tls.connection_policy").Warn("trusted_leaf_certs is deprecated; use leaf verifier module instead") |
| 876 | var trustedLeafCerts []*x509.Certificate |
| 877 | for _, clientCertString := range clientauth.TrustedLeafCerts { |
| 878 | clientCert, err := decodeBase64DERCert(clientCertString) |
| 879 | if err != nil { |
| 880 | return fmt.Errorf("parsing certificate: %v", err) |
| 881 | } |
| 882 | trustedLeafCerts = append(trustedLeafCerts, clientCert) |
| 883 | } |
| 884 | clientauth.verifiers = append(clientauth.verifiers, LeafCertClientAuth{trustedLeafCerts: trustedLeafCerts}) |
| 885 | } |
| 886 | |
| 887 | // if a custom verification function already exists, wrap it |
| 888 | clientauth.existingVerifyPeerCert = cfg.VerifyPeerCertificate |
| 889 | cfg.VerifyConnection = clientauth.verifyConnection |
| 890 | return nil |
| 891 | } |
no test coverage detected