(ctx caddy.Context)
| 267 | } |
| 268 | |
| 269 | func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error { |
| 270 | tlsAppIface, err := ctx.App("tls") |
| 271 | if err != nil { |
| 272 | return fmt.Errorf("getting tls app: %v", err) |
| 273 | } |
| 274 | tlsApp := tlsAppIface.(*TLS) |
| 275 | |
| 276 | // fill in some "easy" default values, but for other values |
| 277 | // (such as slices), we should ensure that they start empty |
| 278 | // so the user-provided config can fill them in; then we will |
| 279 | // fill in a default config at the end if they are still unset |
| 280 | cfg := &tls.Config{ |
| 281 | NextProtos: p.ALPN, |
| 282 | GetCertificate: func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) { |
| 283 | // TODO: I don't love how this works: we pre-build certmagic configs |
| 284 | // so that handshakes are faster. Unfortunately, certmagic configs are |
| 285 | // comprised of settings from both a TLS connection policy and a TLS |
| 286 | // automation policy. The only two fields (as of March 2020; v2 beta 17) |
| 287 | // of a certmagic config that come from the TLS connection policy are |
| 288 | // CertSelection and DefaultServerName, so an automation policy is what |
| 289 | // builds the base certmagic config. Since the pre-built config is |
| 290 | // shared, I don't think we can change any of its fields per-handshake, |
| 291 | // hence the awkward shallow copy (dereference) here and the subsequent |
| 292 | // changing of some of its fields. I'm worried this dereference allocates |
| 293 | // more at handshake-time, but I don't know how to practically pre-build |
| 294 | // a certmagic config for each combination of conn policy + automation policy... |
| 295 | cfg := *tlsApp.getConfigForName(hello.ServerName) |
| 296 | if p.CertSelection != nil { |
| 297 | // you would think we could just set this whether or not |
| 298 | // p.CertSelection is nil, but that leads to panics if |
| 299 | // it is, because cfg.CertSelection is an interface, |
| 300 | // so it will have a non-nil value even if the actual |
| 301 | // value underlying it is nil (sigh) |
| 302 | cfg.CertSelection = p.CertSelection |
| 303 | } |
| 304 | cfg.DefaultServerName = p.DefaultSNI |
| 305 | cfg.FallbackServerName = p.FallbackSNI |
| 306 | |
| 307 | // TODO: experimental: if a handshake context module is configured, allow it |
| 308 | // to modify the context before passing it into CertMagic's GetCertificate |
| 309 | ctx := hello.Context() |
| 310 | if p.handshakeContext != nil { |
| 311 | ctx, err = p.handshakeContext.HandshakeContext(hello) |
| 312 | if err != nil { |
| 313 | return nil, fmt.Errorf("handshake context: %v", err) |
| 314 | } |
| 315 | } |
| 316 | |
| 317 | return cfg.GetCertificateWithContext(ctx, hello) |
| 318 | }, |
| 319 | MinVersion: tls.VersionTLS12, |
| 320 | MaxVersion: tls.VersionTLS13, |
| 321 | } |
| 322 | |
| 323 | // session tickets support |
| 324 | if tlsApp.SessionTickets != nil { |
| 325 | cfg.SessionTicketsDisabled = tlsApp.SessionTickets.Disabled |
| 326 |
no test coverage detected