Cutlery/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2026-05-13 10:42:16 -04:00
Code Issues Actions Packages Projects Releases Wiki Activity

httpserver: Prevent TLS client authentication bypass in 3 ways (#2099)

Browse Source 
- Introduce StrictHostMatching mode for sites that require clientauth
- Error if QUIC is enabled whilst TLS clientauth is configured
  (Our QUIC implementation does not yet support TLS clientauth, but
  maybe it will in the future - fixes #2095)
- Error if one but not all TLS configs for the same hostname have a
  different ClientAuth CA pool
This commit is contained in:
Matt Holt
2018-03-30 14:40:04 -06:00
committed by GitHub
parent 2966db7b78
commit 4d9ee000c8
4 changed files with 49 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
caddyhttp/httpserver/siteconfig.go
+10
View File
@@ -36,6 +36,16 @@ type SiteConfig struct {
// TLS configuration
TLS *caddytls.Config
// If true, the Host header in the HTTP request must
// match the SNI value in the TLS handshake (if any).
// This should be enabled whenever a site relies on
// TLS client authentication, for example; or any time
// you want to enforce that THIS site's TLS config
// is used and not the TLS config of any other site
// on the same listener. TODO: Check how relevant this
// is with TLS 1.3.
StrictHostMatching bool
// Uncompiled middleware stack
middleware []Middleware