MCPcopy
hub / github.com/caddyserver/caddy / buildStandardTLSConfig

Method buildStandardTLSConfig

modules/caddytls/connpolicy.go:269–434  ·  view source on GitHub ↗
(ctx caddy.Context)

Source from the content-addressed store, hash-verified

267}
268
269func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
270 tlsAppIface, err := ctx.App("tls")
271 if err != nil {
272 return fmt.Errorf("getting tls app: %v", err)
273 }
274 tlsApp := tlsAppIface.(*TLS)
275
276 // fill in some "easy" default values, but for other values
277 // (such as slices), we should ensure that they start empty
278 // so the user-provided config can fill them in; then we will
279 // fill in a default config at the end if they are still unset
280 cfg := &tls.Config{
281 NextProtos: p.ALPN,
282 GetCertificate: func(hello *tls.ClientHelloInfo) (*tls.Certificate, error) {
283 // TODO: I don't love how this works: we pre-build certmagic configs
284 // so that handshakes are faster. Unfortunately, certmagic configs are
285 // comprised of settings from both a TLS connection policy and a TLS
286 // automation policy. The only two fields (as of March 2020; v2 beta 17)
287 // of a certmagic config that come from the TLS connection policy are
288 // CertSelection and DefaultServerName, so an automation policy is what
289 // builds the base certmagic config. Since the pre-built config is
290 // shared, I don't think we can change any of its fields per-handshake,
291 // hence the awkward shallow copy (dereference) here and the subsequent
292 // changing of some of its fields. I'm worried this dereference allocates
293 // more at handshake-time, but I don't know how to practically pre-build
294 // a certmagic config for each combination of conn policy + automation policy...
295 cfg := *tlsApp.getConfigForName(hello.ServerName)
296 if p.CertSelection != nil {
297 // you would think we could just set this whether or not
298 // p.CertSelection is nil, but that leads to panics if
299 // it is, because cfg.CertSelection is an interface,
300 // so it will have a non-nil value even if the actual
301 // value underlying it is nil (sigh)
302 cfg.CertSelection = p.CertSelection
303 }
304 cfg.DefaultServerName = p.DefaultSNI
305 cfg.FallbackServerName = p.FallbackSNI
306
307 // TODO: experimental: if a handshake context module is configured, allow it
308 // to modify the context before passing it into CertMagic's GetCertificate
309 ctx := hello.Context()
310 if p.handshakeContext != nil {
311 ctx, err = p.handshakeContext.HandshakeContext(hello)
312 if err != nil {
313 return nil, fmt.Errorf("handshake context: %v", err)
314 }
315 }
316
317 return cfg.GetCertificateWithContext(ctx, hello)
318 },
319 MinVersion: tls.VersionTLS12,
320 MaxVersion: tls.VersionTLS13,
321 }
322
323 // session tickets support
324 if tlsApp.SessionTickets != nil {
325 cfg.SessionTicketsDisabled = tlsApp.SessionTickets.Disabled
326

Callers 1

ProvisionMethod · 0.80

Calls 15

CipherSuiteIDFunction · 0.85
setDefaultTLSParamsFunction · 0.85
AppMethod · 0.80
getConfigForNameMethod · 0.80
HandshakeContextMethod · 0.80
registerMethod · 0.80
OnCancelMethod · 0.80
unregisterMethod · 0.80
ConfigureTLSConfigMethod · 0.80
ReplaceOrErrMethod · 0.80
LoadOrNewMethod · 0.80
provisionMethod · 0.45

Tested by

no test coverage detected