mirror of
https://github.com/caddyserver/caddy.git
synced 2025-01-06 02:48:48 +03:00
6e2de19d9f
* tls: Fall back to certificate keyed by empty name (fixes #2035) This should only happen for sites defined with an empty hostname (like ":8080") and which are using self-signed certificates or some other funky self-managed certificate. But that certificate should arguably be used for all incoming SNI names. * tls: Revert to serving any certificate if no match, regardless of SNI Also fix self-signed certs to include IP addresses in their name if they are configured to serve an IP address * Remove tests which are now irrelevant (behavior reverted) It would be good to revisit this in the future.
88 lines
4.3 KiB
Go
88 lines
4.3 KiB
Go
// Copyright 2015 Light Code Labs, LLC
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
package caddytls
|
|
|
|
import "testing"
|
|
|
|
func TestUnexportedGetCertificate(t *testing.T) {
|
|
certCache := &certificateCache{cache: make(map[string]Certificate)}
|
|
cfg := &Config{Certificates: make(map[string]string), certCache: certCache}
|
|
|
|
// When cache is empty
|
|
if _, matched, defaulted := cfg.getCertificate("example.com"); matched || defaulted {
|
|
t.Errorf("Got a certificate when cache was empty; matched=%v, defaulted=%v", matched, defaulted)
|
|
}
|
|
|
|
// When cache has one certificate in it
|
|
firstCert := Certificate{Names: []string{"example.com"}}
|
|
certCache.cache["0xdeadbeef"] = firstCert
|
|
cfg.Certificates["example.com"] = "0xdeadbeef"
|
|
if cert, matched, defaulted := cfg.getCertificate("Example.com"); !matched || defaulted || cert.Names[0] != "example.com" {
|
|
t.Errorf("Didn't get a cert for 'Example.com' or got the wrong one: %v, matched=%v, defaulted=%v", cert, matched, defaulted)
|
|
}
|
|
if cert, matched, defaulted := cfg.getCertificate("example.com"); !matched || defaulted || cert.Names[0] != "example.com" {
|
|
t.Errorf("Didn't get a cert for 'example.com' or got the wrong one: %v, matched=%v, defaulted=%v", cert, matched, defaulted)
|
|
}
|
|
|
|
// When retrieving wildcard certificate
|
|
certCache.cache["0xb01dface"] = Certificate{Names: []string{"*.example.com"}}
|
|
cfg.Certificates["*.example.com"] = "0xb01dface"
|
|
if cert, matched, defaulted := cfg.getCertificate("sub.example.com"); !matched || defaulted || cert.Names[0] != "*.example.com" {
|
|
t.Errorf("Didn't get wildcard cert for 'sub.example.com' or got the wrong one: %v, matched=%v, defaulted=%v", cert, matched, defaulted)
|
|
}
|
|
|
|
// TODO: Re-implement this behavior when I'm not in the middle of upgrading for ACMEv2 support. :) (it was reverted in #2037)
|
|
// // When no certificate matches and SNI is provided, return no certificate (should be TLS alert)
|
|
// if cert, matched, defaulted := cfg.getCertificate("nomatch"); matched || defaulted {
|
|
// t.Errorf("Expected matched=false, defaulted=false; but got matched=%v, defaulted=%v (cert: %v)", matched, defaulted, cert)
|
|
// }
|
|
|
|
// When no certificate matches and SNI is NOT provided, a random is returned
|
|
if cert, matched, defaulted := cfg.getCertificate(""); matched || !defaulted {
|
|
t.Errorf("Expected matched=false, defaulted=true; but got matched=%v, defaulted=%v (cert: %v)", matched, defaulted, cert)
|
|
}
|
|
}
|
|
|
|
func TestCacheCertificate(t *testing.T) {
|
|
certCache := &certificateCache{cache: make(map[string]Certificate)}
|
|
cfg := &Config{Certificates: make(map[string]string), certCache: certCache}
|
|
|
|
cfg.cacheCertificate(Certificate{Names: []string{"example.com", "sub.example.com"}, Hash: "foobar"})
|
|
if len(certCache.cache) != 1 {
|
|
t.Errorf("Expected length of certificate cache to be 1")
|
|
}
|
|
if _, ok := certCache.cache["foobar"]; !ok {
|
|
t.Error("Expected first cert to be cached by key 'foobar', but it wasn't")
|
|
}
|
|
if _, ok := cfg.Certificates["example.com"]; !ok {
|
|
t.Error("Expected first cert to be keyed by 'example.com', but it wasn't")
|
|
}
|
|
if _, ok := cfg.Certificates["sub.example.com"]; !ok {
|
|
t.Error("Expected first cert to be keyed by 'sub.example.com', but it wasn't")
|
|
}
|
|
|
|
// different config, but using same cache; and has cert with overlapping name,
|
|
// but different hash
|
|
cfg2 := &Config{Certificates: make(map[string]string), certCache: certCache}
|
|
cfg2.cacheCertificate(Certificate{Names: []string{"example.com"}, Hash: "barbaz"})
|
|
if _, ok := certCache.cache["barbaz"]; !ok {
|
|
t.Error("Expected second cert to be cached by key 'barbaz.com', but it wasn't")
|
|
}
|
|
if hash, ok := cfg2.Certificates["example.com"]; !ok {
|
|
t.Error("Expected second cert to be keyed by 'example.com', but it wasn't")
|
|
} else if hash != "barbaz" {
|
|
t.Errorf("Expected second cert to map to 'barbaz' but it was %s instead", hash)
|
|
}
|
|
}
|