A new feature for the "tls" directive

caddy/https/https.go

@@ -404,7 +404,7 @@ const AlternatePort = "5033"
 // KeyType is the type to use for new keys.
 // This shouldn't need to change except for in tests;
 // the size can be drastically reduced for speed.
-var KeyType = acme.EC384
+var KeyType acme.KeyType
 
 // stopChan is used to signal the maintenance goroutine
 // to terminate.

caddy/https/setup.go

@@ -14,6 +14,7 @@ import (
 	"github.com/mholt/caddy/caddy/setup"
 	"github.com/mholt/caddy/middleware"
 	"github.com/mholt/caddy/server"
+	"github.com/xenolf/lego/acme"
 )
 
 // Setup sets up the TLS configuration and installs certificates that
@@ -51,6 +52,13 @@ func Setup(c *setup.Controller) (middleware.Middleware, error) {
 		for c.NextBlock() {
 			hadBlock = true
 			switch c.Val() {
+			case "key_type":
+				arg := c.RemainingArgs()
+				value, ok := supportedKeyTypes[strings.ToUpper(arg[0])]
+				if !ok {
+					return nil, c.Errf("Wrong KeyType name or KeyType not supported '%s'", c.Val())
+				}
+				KeyType = value
 			case "protocols":
 				args := c.RemainingArgs()
 				if len(args) != 2 {
@@ -220,6 +228,10 @@ func loadCertsInDir(c *setup.Controller, dir string) error {
 // port to 443 if not already set, TLS is enabled, TLS is manual, and the host
 // does not equal localhost.
 func setDefaultTLSParams(c *server.Config) {
+	if KeyType == "" {
+		KeyType = acme.RSA2048
+	}
+
 	// If no ciphers provided, use default list
 	if len(c.TLS.Ciphers) == 0 {
 		c.TLS.Ciphers = defaultCiphers
@@ -247,6 +259,15 @@ func setDefaultTLSParams(c *server.Config) {
 	}
 }
 
+// Map of supported key types
+var supportedKeyTypes = map[string]acme.KeyType{
+	"EC384":   acme.EC384,
+	"EC256":   acme.EC256,
+	"RSA8192": acme.RSA8192,
+	"RSA4096": acme.RSA4096,
+	"RSA2048": acme.RSA2048,
+}
+
 // Map of supported protocols.
 // SSLv3 will be not supported in future release.
 // HTTP/2 only supports TLS 1.2 and higher.

caddy/https/setup_test.go

@@ -8,6 +8,7 @@ import (
 	"testing"
 
 	"github.com/mholt/caddy/caddy/setup"
+	"github.com/xenolf/lego/acme"
 )
 
 func TestMain(m *testing.M) {
@@ -170,6 +171,16 @@ func TestSetupParseWithWrongOptionalParams(t *testing.T) {
 	if err == nil {
 		t.Errorf("Expected errors, but no error returned")
 	}
+
+	// Test key_type wrong params
+	params = `tls {
+			key_type ab123
+		}`
+	c = setup.NewTestController(params)
+	_, err = Setup(c)
+	if err == nil {
+		t.Errorf("Expected errors, but no error returned")
+	}
 }
 
 func TestSetupParseWithClientAuth(t *testing.T) {
@@ -203,6 +214,22 @@ func TestSetupParseWithClientAuth(t *testing.T) {
 	}
 }
 
+func TestSetupParseWithKeyType(t *testing.T) {
+	params := `tls {
+            key_type ec384
+        }`
+	c := setup.NewTestController(params)
+
+	_, err := Setup(c)
+	if err != nil {
+		t.Errorf("Expected no errors, got: %v", err)
+	}
+
+	if KeyType != acme.EC384 {
+		t.Errorf("Expected 'P384' as KeyType, got %#v", KeyType)
+	}
+}
+
 const (
 	certFile = "test_cert.pem"
 	keyFile  = "test_key.pem"