Commit 53e11780 authored by elcore's avatar elcore Committed by Matt Holt

Add support for OCSP Must-Staple for Let's Encrypt certs (#1221)

* Fix Caddytls

* Let the user decide

* Address comments
parent 23f89f30
...@@ -197,7 +197,7 @@ Attempts: ...@@ -197,7 +197,7 @@ Attempts:
for attempts := 0; attempts < 2; attempts++ { for attempts := 0; attempts < 2; attempts++ {
namesObtaining.Add([]string{name}) namesObtaining.Add([]string{name})
acmeMu.Lock() acmeMu.Lock()
certificate, failures := c.acmeClient.ObtainCertificate([]string{name}, true, nil) certificate, failures := c.acmeClient.ObtainCertificate([]string{name}, true, nil, c.config.MustStaple)
acmeMu.Unlock() acmeMu.Unlock()
namesObtaining.Remove([]string{name}) namesObtaining.Remove([]string{name})
if len(failures) > 0 { if len(failures) > 0 {
...@@ -285,7 +285,7 @@ func (c *ACMEClient) Renew(name string) error { ...@@ -285,7 +285,7 @@ func (c *ACMEClient) Renew(name string) error {
for attempts := 0; attempts < 2; attempts++ { for attempts := 0; attempts < 2; attempts++ {
namesObtaining.Add([]string{name}) namesObtaining.Add([]string{name})
acmeMu.Lock() acmeMu.Lock()
newCertMeta, err = c.acmeClient.RenewCertificate(certMeta, true) newCertMeta, err = c.acmeClient.RenewCertificate(certMeta, true, c.config.MustStaple)
acmeMu.Unlock() acmeMu.Unlock()
namesObtaining.Remove([]string{name}) namesObtaining.Remove([]string{name})
if err == nil { if err == nil {
......
...@@ -105,6 +105,9 @@ type Config struct { ...@@ -105,6 +105,9 @@ type Config struct {
// The state needed to operate on-demand TLS // The state needed to operate on-demand TLS
OnDemandState OnDemandState OnDemandState OnDemandState
// Add the must staple TLS extension to the CSR generated by lego/acme
MustStaple bool
} }
// OnDemandState contains some state relevant for providing // OnDemandState contains some state relevant for providing
......
...@@ -164,6 +164,8 @@ func setupTLS(c *caddy.Controller) error { ...@@ -164,6 +164,8 @@ func setupTLS(c *caddy.Controller) error {
return c.Errf("Unsupported Storage provider '%s'", args[0]) return c.Errf("Unsupported Storage provider '%s'", args[0])
} }
config.StorageProvider = args[0] config.StorageProvider = args[0]
case "muststaple":
config.MustStaple = true
default: default:
return c.Errf("Unknown keyword '%s'", c.Val()) return c.Errf("Unknown keyword '%s'", c.Val())
} }
......
...@@ -103,6 +103,7 @@ func TestSetupParseWithOptionalParams(t *testing.T) { ...@@ -103,6 +103,7 @@ func TestSetupParseWithOptionalParams(t *testing.T) {
params := `tls ` + certFile + ` ` + keyFile + ` { params := `tls ` + certFile + ` ` + keyFile + ` {
protocols tls1.0 tls1.2 protocols tls1.0 tls1.2
ciphers RSA-AES256-CBC-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ciphers RSA-AES256-CBC-SHA ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384
muststaple
}` }`
cfg := new(Config) cfg := new(Config)
RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg }) RegisterConfigGetter("", func(c *caddy.Controller) *Config { return cfg })
...@@ -124,6 +125,10 @@ func TestSetupParseWithOptionalParams(t *testing.T) { ...@@ -124,6 +125,10 @@ func TestSetupParseWithOptionalParams(t *testing.T) {
if len(cfg.Ciphers)-1 != 3 { if len(cfg.Ciphers)-1 != 3 {
t.Errorf("Expected 3 Ciphers (not including TLS_FALLBACK_SCSV), got %v", len(cfg.Ciphers)-1) t.Errorf("Expected 3 Ciphers (not including TLS_FALLBACK_SCSV), got %v", len(cfg.Ciphers)-1)
} }
if !cfg.MustStaple {
t.Errorf("Expected must staple to be true")
}
} }
func TestSetupDefaultWithOptionalParams(t *testing.T) { func TestSetupDefaultWithOptionalParams(t *testing.T) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment