A new feature for the "tls" directive

This commit is contained in:
elcore 2016-04-01 11:30:38 +02:00 committed by Eldin Hadzic
parent 8a2f2f8d37
commit cf69d190a2
3 changed files with 49 additions and 1 deletions

View file

@ -404,7 +404,7 @@ const AlternatePort = "5033"
// KeyType is the type to use for new keys. // KeyType is the type to use for new keys.
// This shouldn't need to change except for in tests; // This shouldn't need to change except for in tests;
// the size can be drastically reduced for speed. // the size can be drastically reduced for speed.
var KeyType = acme.EC384 var KeyType acme.KeyType
// stopChan is used to signal the maintenance goroutine // stopChan is used to signal the maintenance goroutine
// to terminate. // to terminate.

View file

@ -14,6 +14,7 @@ import (
"github.com/mholt/caddy/caddy/setup" "github.com/mholt/caddy/caddy/setup"
"github.com/mholt/caddy/middleware" "github.com/mholt/caddy/middleware"
"github.com/mholt/caddy/server" "github.com/mholt/caddy/server"
"github.com/xenolf/lego/acme"
) )
// Setup sets up the TLS configuration and installs certificates that // Setup sets up the TLS configuration and installs certificates that
@ -51,6 +52,13 @@ func Setup(c *setup.Controller) (middleware.Middleware, error) {
for c.NextBlock() { for c.NextBlock() {
hadBlock = true hadBlock = true
switch c.Val() { switch c.Val() {
case "key_type":
arg := c.RemainingArgs()
value, ok := supportedKeyTypes[strings.ToUpper(arg[0])]
if !ok {
return nil, c.Errf("Wrong KeyType name or KeyType not supported '%s'", c.Val())
}
KeyType = value
case "protocols": case "protocols":
args := c.RemainingArgs() args := c.RemainingArgs()
if len(args) != 2 { if len(args) != 2 {
@ -220,6 +228,10 @@ func loadCertsInDir(c *setup.Controller, dir string) error {
// port to 443 if not already set, TLS is enabled, TLS is manual, and the host // port to 443 if not already set, TLS is enabled, TLS is manual, and the host
// does not equal localhost. // does not equal localhost.
func setDefaultTLSParams(c *server.Config) { func setDefaultTLSParams(c *server.Config) {
if KeyType == "" {
KeyType = acme.RSA2048
}
// If no ciphers provided, use default list // If no ciphers provided, use default list
if len(c.TLS.Ciphers) == 0 { if len(c.TLS.Ciphers) == 0 {
c.TLS.Ciphers = defaultCiphers c.TLS.Ciphers = defaultCiphers
@ -247,6 +259,15 @@ func setDefaultTLSParams(c *server.Config) {
} }
} }
// Map of supported key types
var supportedKeyTypes = map[string]acme.KeyType{
"EC384": acme.EC384,
"EC256": acme.EC256,
"RSA8192": acme.RSA8192,
"RSA4096": acme.RSA4096,
"RSA2048": acme.RSA2048,
}
// Map of supported protocols. // Map of supported protocols.
// SSLv3 will be not supported in future release. // SSLv3 will be not supported in future release.
// HTTP/2 only supports TLS 1.2 and higher. // HTTP/2 only supports TLS 1.2 and higher.

View file

@ -8,6 +8,7 @@ import (
"testing" "testing"
"github.com/mholt/caddy/caddy/setup" "github.com/mholt/caddy/caddy/setup"
"github.com/xenolf/lego/acme"
) )
func TestMain(m *testing.M) { func TestMain(m *testing.M) {
@ -170,6 +171,16 @@ func TestSetupParseWithWrongOptionalParams(t *testing.T) {
if err == nil { if err == nil {
t.Errorf("Expected errors, but no error returned") t.Errorf("Expected errors, but no error returned")
} }
// Test key_type wrong params
params = `tls {
key_type ab123
}`
c = setup.NewTestController(params)
_, err = Setup(c)
if err == nil {
t.Errorf("Expected errors, but no error returned")
}
} }
func TestSetupParseWithClientAuth(t *testing.T) { func TestSetupParseWithClientAuth(t *testing.T) {
@ -203,6 +214,22 @@ func TestSetupParseWithClientAuth(t *testing.T) {
} }
} }
func TestSetupParseWithKeyType(t *testing.T) {
params := `tls {
key_type ec384
}`
c := setup.NewTestController(params)
_, err := Setup(c)
if err != nil {
t.Errorf("Expected no errors, got: %v", err)
}
if KeyType != acme.EC384 {
t.Errorf("Expected 'P384' as KeyType, got %#v", KeyType)
}
}
const ( const (
certFile = "test_cert.pem" certFile = "test_cert.pem"
keyFile = "test_key.pem" keyFile = "test_key.pem"