From 09432ba64d3931206181c895c845116db8d7e877 Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Thu, 7 Jan 2021 15:52:58 -0700 Subject: [PATCH] caddytls: Configurable OCSP stapling; global option (closes #3714) Allows user to disable OCSP stapling (including support in the Caddyfile via the ocsp_stapling global option) or overriding responder URLs. Useful in environments where responders are not reachable due to firewalls. --- caddyconfig/httpcaddyfile/options.go | 15 +++++++++++++++ caddyconfig/httpcaddyfile/tlsapp.go | 9 ++++++++- go.mod | 2 +- go.sum | 4 ++-- modules/caddytls/automation.go | 23 ++++++++++++++++++++--- 5 files changed, 46 insertions(+), 7 deletions(-) diff --git a/caddyconfig/httpcaddyfile/options.go b/caddyconfig/httpcaddyfile/options.go index 119295b8..54672a65 100644 --- a/caddyconfig/httpcaddyfile/options.go +++ b/caddyconfig/httpcaddyfile/options.go @@ -43,6 +43,7 @@ func init() { RegisterGlobalOption("key_type", parseOptSingleString) RegisterGlobalOption("auto_https", parseOptAutoHTTPS) RegisterGlobalOption("servers", parseServerOptions) + RegisterGlobalOption("ocsp_stapling", parseOCSPStaplingOptions) } func parseOptTrue(d *caddyfile.Dispenser, _ interface{}) (interface{}, error) { return true, nil } @@ -370,3 +371,17 @@ func parseOptAutoHTTPS(d *caddyfile.Dispenser, _ interface{}) (interface{}, erro func parseServerOptions(d *caddyfile.Dispenser, _ interface{}) (interface{}, error) { return unmarshalCaddyfileServerOptions(d) } + +func parseOCSPStaplingOptions(d *caddyfile.Dispenser, _ interface{}) (interface{}, error) { + d.Next() // consume option name + var val string + if !d.AllArgs(&val) { + return nil, d.ArgErr() + } + if val != "off" { + return nil, d.Errf("invalid argument '%s'", val) + } + return certmagic.OCSPConfig{ + DisableStapling: val == "off", + }, nil +} diff --git a/caddyconfig/httpcaddyfile/tlsapp.go b/caddyconfig/httpcaddyfile/tlsapp.go index 25b800a5..10b5e7d5 100644 --- a/caddyconfig/httpcaddyfile/tlsapp.go +++ b/caddyconfig/httpcaddyfile/tlsapp.go @@ -417,8 +417,9 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon issuers, hasIssuers := options["cert_issuer"] _, hasLocalCerts := options["local_certs"] keyType, hasKeyType := options["key_type"] + ocspStapling, hasOCSPStapling := options["ocsp_stapling"] - hasGlobalAutomationOpts := hasIssuers || hasLocalCerts || hasKeyType + hasGlobalAutomationOpts := hasIssuers || hasLocalCerts || hasKeyType || hasOCSPStapling // if there are no global options related to automation policies // set, then we can just return right away @@ -444,6 +445,12 @@ func newBaseAutomationPolicy(options map[string]interface{}, warnings []caddycon ap.Issuers = []certmagic.Issuer{new(caddytls.InternalIssuer)} } + if hasOCSPStapling { + ocspConfig := ocspStapling.(certmagic.OCSPConfig) + ap.DisableOCSPStapling = ocspConfig.DisableStapling + ap.OCSPOverrides = ocspConfig.ResponderOverrides + } + return ap, nil } diff --git a/go.mod b/go.mod index ed3a046b..825f8743 100644 --- a/go.mod +++ b/go.mod @@ -6,7 +6,7 @@ require ( github.com/Masterminds/sprig/v3 v3.1.0 github.com/alecthomas/chroma v0.8.2 github.com/aryann/difflib v0.0.0-20170710044230-e206f873d14a - github.com/caddyserver/certmagic v0.12.1-0.20210104224249-7891c830824b + github.com/caddyserver/certmagic v0.12.1-0.20210107224522-725b69d53d57 github.com/dustin/go-humanize v1.0.1-0.20200219035652-afde56e7acac github.com/go-chi/chi v4.1.2+incompatible github.com/google/cel-go v0.6.0 diff --git a/go.sum b/go.sum index 8c5bd137..cc11013a 100644 --- a/go.sum +++ b/go.sum @@ -99,8 +99,8 @@ github.com/bombsimon/wsl/v2 v2.0.0/go.mod h1:mf25kr/SqFEPhhcxW1+7pxzGlW+hIl/hYTK github.com/boombuler/barcode v1.0.0/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8= github.com/bradfitz/go-smtpd v0.0.0-20170404230938-deb6d6237625/go.mod h1:HYsPBTaaSFSlLx/70C2HPIMNZpVV8+vt/A+FMnYP11g= github.com/buger/jsonparser v0.0.0-20181115193947-bf1c66bbce23/go.mod h1:bbYlZJ7hK1yFx9hf58LP0zeX7UjIGs20ufpu3evjr+s= -github.com/caddyserver/certmagic v0.12.1-0.20210104224249-7891c830824b h1:3sAfeMhRiv0CVLWvM+bTSVkZIf1KupsMjglpaOCAQjE= -github.com/caddyserver/certmagic v0.12.1-0.20210104224249-7891c830824b/go.mod h1:yHMCSjG2eOFdI/Jx0+CCzr2DLw+UQu42KbaOVBx7LwA= +github.com/caddyserver/certmagic v0.12.1-0.20210107224522-725b69d53d57 h1:eslWGgoQlVAzOGMUfK3ncoHnONjCUVOPTGRD9JG3gAY= +github.com/caddyserver/certmagic v0.12.1-0.20210107224522-725b69d53d57/go.mod h1:yHMCSjG2eOFdI/Jx0+CCzr2DLw+UQu42KbaOVBx7LwA= github.com/casbin/casbin/v2 v2.1.2/go.mod h1:YcPU1XXisHhLzuxH9coDNf2FbKpjGlbCg3n9yuLkIJQ= github.com/cenkalti/backoff v2.2.1+incompatible/go.mod h1:90ReRw6GdpyfrHakVjL/QHaoyV4aDUVVkXQJJJ3NXXM= github.com/census-instrumentation/opencensus-proto v0.2.0/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU= diff --git a/modules/caddytls/automation.go b/modules/caddytls/automation.go index 509ad6e6..ed29e06a 100644 --- a/modules/caddytls/automation.go +++ b/modules/caddytls/automation.go @@ -107,6 +107,19 @@ type AutomationPolicy struct { // load. OnDemand bool `json:"on_demand,omitempty"` + // Disables OCSP stapling. Disabling OCSP stapling puts clients at + // greater risk, reduces their privacy, and usually lowers client + // performance. It is NOT recommended to disable this unless you + // are able to justify the costs. + // EXPERIMENTAL. Subject to change. + DisableOCSPStapling bool `json:"disable_ocsp_stapling,omitempty"` + + // Overrides the URLs of OCSP responders embedded in certificates. + // Each key is a OCSP server URL to override, and its value is the + // replacement. An empty value will disable querying of that server. + // EXPERIMENTAL. Subject to change. + OCSPOverrides map[string]string `json:"ocsp_overrides,omitempty"` + // Issuers stores the decoded issuer parameters. This is only // used to populate an underlying certmagic.Config's Issuers // field; it is not referenced thereafter. @@ -205,9 +218,13 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error { RenewalWindowRatio: ap.RenewalWindowRatio, KeySource: keySource, OnDemand: ond, - Storage: storage, - Issuers: issuers, - Logger: tlsApp.logger, + OCSP: certmagic.OCSPConfig{ + DisableStapling: ap.DisableOCSPStapling, + ResponderOverrides: ap.OCSPOverrides, + }, + Storage: storage, + Issuers: issuers, + Logger: tlsApp.logger, } ap.magic = certmagic.New(tlsApp.certCache, template)