mirror of
https://github.com/mjl-/mox.git
synced 2024-12-26 16:33:47 +03:00
add a bit more logging for non-SNI tls requests
for peace of mind. these are probably requests to port 443 without SNI.
This commit is contained in:
parent
26fcaa17f5
commit
b8fa918d74
2 changed files with 4 additions and 4 deletions
|
@ -52,7 +52,7 @@ var (
|
||||||
// certificates for allowlisted hosts.
|
// certificates for allowlisted hosts.
|
||||||
type Manager struct {
|
type Manager struct {
|
||||||
ACMETLSConfig *tls.Config // For serving HTTPS on port 443, which is required for certificate requests to succeed.
|
ACMETLSConfig *tls.Config // For serving HTTPS on port 443, which is required for certificate requests to succeed.
|
||||||
TLSConfig *tls.Config // For all TLS servers not used for validating ACME requests. Like SMTP and HTTPS on ports other than 443.
|
TLSConfig *tls.Config // For all TLS servers not used for validating ACME requests. Like SMTP and IMAP (including with STARTTLS) and HTTPS on ports other than 443.
|
||||||
Manager *autocert.Manager
|
Manager *autocert.Manager
|
||||||
|
|
||||||
shutdown <-chan struct{}
|
shutdown <-chan struct{}
|
||||||
|
@ -147,7 +147,7 @@ func Load(name, acmeDir, contactEmail, directoryURL string, shutdown <-chan stru
|
||||||
// common for SMTP STARTTLS connections, which often do not care about the
|
// common for SMTP STARTTLS connections, which often do not care about the
|
||||||
// validation of the certificate.
|
// validation of the certificate.
|
||||||
if hello.ServerName == "" {
|
if hello.ServerName == "" {
|
||||||
log.Debug("tls request without sni servername, rejecting")
|
log.Debug("tls request without sni servername, rejecting", mlog.Field("localaddr", hello.Conn.LocalAddr()), mlog.Field("supportedprotos", hello.SupportedProtos))
|
||||||
return nil, fmt.Errorf("sni server name required")
|
return nil, fmt.Errorf("sni server name required")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -287,6 +287,6 @@ type TLS struct {
|
||||||
} `sconf:"optional"`
|
} `sconf:"optional"`
|
||||||
MinVersion string `sconf:"optional" sconf-doc:"Minimum TLS version. Default: TLSv1.2."`
|
MinVersion string `sconf:"optional" sconf-doc:"Minimum TLS version. Default: TLSv1.2."`
|
||||||
|
|
||||||
Config *tls.Config `sconf:"-" json:"-"`
|
Config *tls.Config `sconf:"-" json:"-"` // TLS config for non-ACME-verification connections, i.e. SMTP and IMAP, and not port 443.
|
||||||
ACMEConfig *tls.Config `sconf:"-" json:"-"`
|
ACMEConfig *tls.Config `sconf:"-" json:"-"` // TLS config that handles ACME verification, for serving on port 443.
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue