Cutlery/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2026-03-14 22:12:11 -04:00
Code Issues Actions Packages Projects Releases Wiki Activity

caddytls: Enable ECH on the "gotten" tls.Config instead of the "getter"

Browse Source 
No idea if this fixes #7555
This commit is contained in:
Matthew Holt 2026-03-12 15:42:47 -06:00
parent 1fbb28720b
commit 6cef20d257
No known key found for this signature in database
1 changed files with 13 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
modules/caddytls/connpolicy.go
View File

@ -167,12 +167,6 @@ func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) *tls.Config {
}
tlsApp.RegisterServerNames(echNames)
}
tlsCfg.GetEncryptedClientHelloKeys = func(chi *tls.ClientHelloInfo) ([]tls.EncryptedClientHelloKey, error) {
tlsApp.EncryptedClientHello.configsMu.RLock()
defer tlsApp.EncryptedClientHello.configsMu.RUnlock()
return tlsApp.EncryptedClientHello.stdlibReady, nil
}
}
}
@ -376,6 +370,19 @@ func (p *ConnectionPolicy) buildStandardTLSConfig(ctx caddy.Context) error {
cfg.MaxVersion = SupportedProtocols[p.ProtocolMax]
}
// enable ECH (Encrypted ClientHello) if configured
if tlsApp.EncryptedClientHello != nil {
cfg.GetEncryptedClientHelloKeys = func(_ *tls.ClientHelloInfo) ([]tls.EncryptedClientHelloKey, error) {
tlsApp.EncryptedClientHello.configsMu.RLock()
defer tlsApp.EncryptedClientHello.configsMu.RUnlock()
return tlsApp.EncryptedClientHello.stdlibReady, nil
}
// TLS 1.3 is the first version that supports ECH
if cfg.MinVersion < tls.VersionTLS13 {
cfg.MaxVersion = tls.VersionTLS13
}
}
// client authentication
if p.ClientAuthentication != nil {
if err := p.ClientAuthentication.provision(ctx); err != nil {