Commit 62b4553f authored by Matthew Holt's avatar Matthew Holt

tls: Disable on-demand TLS when random config is chosen

A random config is intended to be used only for solving TLS-ALPN
challenges; so we have to be sure to disable on-demand TLS so that
arbitrary names can't request certificates with another name's
on-demand config.
parent ad20323b
...@@ -88,6 +88,30 @@ func (cg configGroup) getConfig(hello *tls.ClientHelloInfo) *Config { ...@@ -88,6 +88,30 @@ func (cg configGroup) getConfig(hello *tls.ClientHelloInfo) *Config {
// TLS configuration for; any config will do for // TLS configuration for; any config will do for
// this purpose // this purpose
for _, config := range cg { for _, config := range cg {
// important! disable on-demand TLS so we don't
// try to get certificates for unrecognized names;
// this requires a careful pointer dance... first
// make shallow copies of the structs
if config.Manager != nil && config.Manager.OnDemand != nil {
cfgCopy := *config
mgrCopy := *config.Manager
tlsCfgCopy := config.tlsConfig.Clone()
// then turn off on-demand TLS
mgrCopy.OnDemand = nil
// then change the copies; make sure the
// GetCertificate callback is updated so
// it points to our modified config
cfgCopy.Manager = &mgrCopy
tlsCfgCopy.GetCertificate = mgrCopy.GetCertificate
cfgCopy.tlsConfig = tlsCfgCopy
// finally, return the reconstructed config
return &cfgCopy
}
// if on-demand TLS was not enabled, we should
// be able to use this config directly
return config return config
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment