mirror of
				https://github.com/caddyserver/caddy.git
				synced 2025-10-24 23:39:19 -04:00 
			
		
		
		
	tls: add reuse_private_keys (#6025)
This commit is contained in:
		
							parent
							
								
									d9ff7b1872
								
							
						
					
					
						commit
						ed41c924cf
					
				| @ -90,6 +90,7 @@ func parseBind(h Helper) ([]ConfigValue, error) { | |||||||
| //	    dns_ttl                       <duration> | //	    dns_ttl                       <duration> | ||||||
| //	    dns_challenge_override_domain <domain> | //	    dns_challenge_override_domain <domain> | ||||||
| //	    on_demand | //	    on_demand | ||||||
|  | //	    reuse_private_keys | ||||||
| //	    eab                           <key_id> <mac_key> | //	    eab                           <key_id> <mac_key> | ||||||
| //	    issuer                        <module_name> [...] | //	    issuer                        <module_name> [...] | ||||||
| //	    get_certificate               <module_name> [...] | //	    get_certificate               <module_name> [...] | ||||||
| @ -106,6 +107,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) { | |||||||
| 	var issuers []certmagic.Issuer | 	var issuers []certmagic.Issuer | ||||||
| 	var certManagers []certmagic.Manager | 	var certManagers []certmagic.Manager | ||||||
| 	var onDemand bool | 	var onDemand bool | ||||||
|  | 	var reusePrivateKeys bool | ||||||
| 
 | 
 | ||||||
| 	for h.Next() { | 	for h.Next() { | ||||||
| 		// file certificate loader | 		// file certificate loader | ||||||
| @ -483,6 +485,12 @@ func parseTLS(h Helper) ([]ConfigValue, error) { | |||||||
| 				} | 				} | ||||||
| 				onDemand = true | 				onDemand = true | ||||||
| 
 | 
 | ||||||
|  | 			case "reuse_private_keys": | ||||||
|  | 				if h.NextArg() { | ||||||
|  | 					return nil, h.ArgErr() | ||||||
|  | 				} | ||||||
|  | 				reusePrivateKeys = true | ||||||
|  | 
 | ||||||
| 			case "insecure_secrets_log": | 			case "insecure_secrets_log": | ||||||
| 				if !h.NextArg() { | 				if !h.NextArg() { | ||||||
| 					return nil, h.ArgErr() | 					return nil, h.ArgErr() | ||||||
| @ -589,6 +597,14 @@ func parseTLS(h Helper) ([]ConfigValue, error) { | |||||||
| 		}) | 		}) | ||||||
| 	} | 	} | ||||||
| 
 | 
 | ||||||
|  | 	// reuse private keys TLS | ||||||
|  | 	if reusePrivateKeys { | ||||||
|  | 		configVals = append(configVals, ConfigValue{ | ||||||
|  | 			Class: "tls.reuse_private_keys", | ||||||
|  | 			Value: true, | ||||||
|  | 		}) | ||||||
|  | 	} | ||||||
|  | 
 | ||||||
| 	// custom certificate selection | 	// custom certificate selection | ||||||
| 	if len(certSelector.AnyTag) > 0 { | 	if len(certSelector.AnyTag) > 0 { | ||||||
| 		cp.CertSelection = &certSelector | 		cp.CertSelection = &certSelector | ||||||
|  | |||||||
| @ -118,6 +118,11 @@ func (st ServerType) buildTLSApp( | |||||||
| 				ap.OnDemand = true | 				ap.OnDemand = true | ||||||
| 			} | 			} | ||||||
| 
 | 
 | ||||||
|  | 			// reuse private keys tls | ||||||
|  | 			if _, ok := sblock.pile["tls.reuse_private_keys"]; ok { | ||||||
|  | 				ap.ReusePrivateKeys = true | ||||||
|  | 			} | ||||||
|  | 
 | ||||||
| 			if keyTypeVals, ok := sblock.pile["tls.key_type"]; ok { | 			if keyTypeVals, ok := sblock.pile["tls.key_type"]; ok { | ||||||
| 				ap.KeyType = keyTypeVals[0].Value.(string) | 				ap.KeyType = keyTypeVals[0].Value.(string) | ||||||
| 			} | 			} | ||||||
| @ -587,6 +592,7 @@ outer: | |||||||
| 				aps[i].MustStaple == aps[j].MustStaple && | 				aps[i].MustStaple == aps[j].MustStaple && | ||||||
| 				aps[i].KeyType == aps[j].KeyType && | 				aps[i].KeyType == aps[j].KeyType && | ||||||
| 				aps[i].OnDemand == aps[j].OnDemand && | 				aps[i].OnDemand == aps[j].OnDemand && | ||||||
|  | 				aps[i].ReusePrivateKeys == aps[j].ReusePrivateKeys && | ||||||
| 				aps[i].RenewalWindowRatio == aps[j].RenewalWindowRatio { | 				aps[i].RenewalWindowRatio == aps[j].RenewalWindowRatio { | ||||||
| 				if len(aps[i].SubjectsRaw) > 0 && len(aps[j].SubjectsRaw) == 0 { | 				if len(aps[i].SubjectsRaw) > 0 && len(aps[j].SubjectsRaw) == 0 { | ||||||
| 					// later policy (at j) has no subjects ("catch-all"), so we can | 					// later policy (at j) has no subjects ("catch-all"), so we can | ||||||
|  | |||||||
| @ -138,6 +138,15 @@ type AutomationPolicy struct { | |||||||
| 	// load. This enables On-Demand TLS for this policy. | 	// load. This enables On-Demand TLS for this policy. | ||||||
| 	OnDemand bool `json:"on_demand,omitempty"` | 	OnDemand bool `json:"on_demand,omitempty"` | ||||||
| 
 | 
 | ||||||
|  | 	// If true, private keys already existing in storage | ||||||
|  | 	// will be reused. Otherwise, a new key will be | ||||||
|  | 	// created for every new certificate to mitigate | ||||||
|  | 	// pinning and reduce the scope of key compromise. | ||||||
|  | 	// TEMPORARY: Key pinning is against industry best practices. | ||||||
|  | 	// This property will likely be removed in the future. | ||||||
|  | 	// Do not rely on it forever; watch the release notes. | ||||||
|  | 	ReusePrivateKeys bool `json:"reuse_private_keys,omitempty"` | ||||||
|  | 
 | ||||||
| 	// Disables OCSP stapling. Disabling OCSP stapling puts clients at | 	// Disables OCSP stapling. Disabling OCSP stapling puts clients at | ||||||
| 	// greater risk, reduces their privacy, and usually lowers client | 	// greater risk, reduces their privacy, and usually lowers client | ||||||
| 	// performance. It is NOT recommended to disable this unless you | 	// performance. It is NOT recommended to disable this unless you | ||||||
| @ -288,6 +297,7 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error { | |||||||
| 		KeySource:          keySource, | 		KeySource:          keySource, | ||||||
| 		OnEvent:            tlsApp.onEvent, | 		OnEvent:            tlsApp.onEvent, | ||||||
| 		OnDemand:           ond, | 		OnDemand:           ond, | ||||||
|  | 		ReusePrivateKeys:   ap.ReusePrivateKeys, | ||||||
| 		OCSP: certmagic.OCSPConfig{ | 		OCSP: certmagic.OCSPConfig{ | ||||||
| 			DisableStapling:    ap.DisableOCSPStapling, | 			DisableStapling:    ap.DisableOCSPStapling, | ||||||
| 			ResponderOverrides: ap.OCSPOverrides, | 			ResponderOverrides: ap.OCSPOverrides, | ||||||
|  | |||||||
		Loading…
	
	
			
			x
			
			
		
	
		Reference in New Issue
	
	Block a user