mirror of
https://github.com/caddyserver/caddy.git
synced 2025-10-24 07:19:17 -04:00
tls: add reuse_private_keys (#6025)
This commit is contained in:
parent
d9ff7b1872
commit
ed41c924cf
@ -90,6 +90,7 @@ func parseBind(h Helper) ([]ConfigValue, error) {
|
|||||||
// dns_ttl <duration>
|
// dns_ttl <duration>
|
||||||
// dns_challenge_override_domain <domain>
|
// dns_challenge_override_domain <domain>
|
||||||
// on_demand
|
// on_demand
|
||||||
|
// reuse_private_keys
|
||||||
// eab <key_id> <mac_key>
|
// eab <key_id> <mac_key>
|
||||||
// issuer <module_name> [...]
|
// issuer <module_name> [...]
|
||||||
// get_certificate <module_name> [...]
|
// get_certificate <module_name> [...]
|
||||||
@ -106,6 +107,7 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
|
|||||||
var issuers []certmagic.Issuer
|
var issuers []certmagic.Issuer
|
||||||
var certManagers []certmagic.Manager
|
var certManagers []certmagic.Manager
|
||||||
var onDemand bool
|
var onDemand bool
|
||||||
|
var reusePrivateKeys bool
|
||||||
|
|
||||||
for h.Next() {
|
for h.Next() {
|
||||||
// file certificate loader
|
// file certificate loader
|
||||||
@ -483,6 +485,12 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
|
|||||||
}
|
}
|
||||||
onDemand = true
|
onDemand = true
|
||||||
|
|
||||||
|
case "reuse_private_keys":
|
||||||
|
if h.NextArg() {
|
||||||
|
return nil, h.ArgErr()
|
||||||
|
}
|
||||||
|
reusePrivateKeys = true
|
||||||
|
|
||||||
case "insecure_secrets_log":
|
case "insecure_secrets_log":
|
||||||
if !h.NextArg() {
|
if !h.NextArg() {
|
||||||
return nil, h.ArgErr()
|
return nil, h.ArgErr()
|
||||||
@ -589,6 +597,14 @@ func parseTLS(h Helper) ([]ConfigValue, error) {
|
|||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// reuse private keys TLS
|
||||||
|
if reusePrivateKeys {
|
||||||
|
configVals = append(configVals, ConfigValue{
|
||||||
|
Class: "tls.reuse_private_keys",
|
||||||
|
Value: true,
|
||||||
|
})
|
||||||
|
}
|
||||||
|
|
||||||
// custom certificate selection
|
// custom certificate selection
|
||||||
if len(certSelector.AnyTag) > 0 {
|
if len(certSelector.AnyTag) > 0 {
|
||||||
cp.CertSelection = &certSelector
|
cp.CertSelection = &certSelector
|
||||||
|
@ -118,6 +118,11 @@ func (st ServerType) buildTLSApp(
|
|||||||
ap.OnDemand = true
|
ap.OnDemand = true
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// reuse private keys tls
|
||||||
|
if _, ok := sblock.pile["tls.reuse_private_keys"]; ok {
|
||||||
|
ap.ReusePrivateKeys = true
|
||||||
|
}
|
||||||
|
|
||||||
if keyTypeVals, ok := sblock.pile["tls.key_type"]; ok {
|
if keyTypeVals, ok := sblock.pile["tls.key_type"]; ok {
|
||||||
ap.KeyType = keyTypeVals[0].Value.(string)
|
ap.KeyType = keyTypeVals[0].Value.(string)
|
||||||
}
|
}
|
||||||
@ -587,6 +592,7 @@ outer:
|
|||||||
aps[i].MustStaple == aps[j].MustStaple &&
|
aps[i].MustStaple == aps[j].MustStaple &&
|
||||||
aps[i].KeyType == aps[j].KeyType &&
|
aps[i].KeyType == aps[j].KeyType &&
|
||||||
aps[i].OnDemand == aps[j].OnDemand &&
|
aps[i].OnDemand == aps[j].OnDemand &&
|
||||||
|
aps[i].ReusePrivateKeys == aps[j].ReusePrivateKeys &&
|
||||||
aps[i].RenewalWindowRatio == aps[j].RenewalWindowRatio {
|
aps[i].RenewalWindowRatio == aps[j].RenewalWindowRatio {
|
||||||
if len(aps[i].SubjectsRaw) > 0 && len(aps[j].SubjectsRaw) == 0 {
|
if len(aps[i].SubjectsRaw) > 0 && len(aps[j].SubjectsRaw) == 0 {
|
||||||
// later policy (at j) has no subjects ("catch-all"), so we can
|
// later policy (at j) has no subjects ("catch-all"), so we can
|
||||||
|
@ -138,6 +138,15 @@ type AutomationPolicy struct {
|
|||||||
// load. This enables On-Demand TLS for this policy.
|
// load. This enables On-Demand TLS for this policy.
|
||||||
OnDemand bool `json:"on_demand,omitempty"`
|
OnDemand bool `json:"on_demand,omitempty"`
|
||||||
|
|
||||||
|
// If true, private keys already existing in storage
|
||||||
|
// will be reused. Otherwise, a new key will be
|
||||||
|
// created for every new certificate to mitigate
|
||||||
|
// pinning and reduce the scope of key compromise.
|
||||||
|
// TEMPORARY: Key pinning is against industry best practices.
|
||||||
|
// This property will likely be removed in the future.
|
||||||
|
// Do not rely on it forever; watch the release notes.
|
||||||
|
ReusePrivateKeys bool `json:"reuse_private_keys,omitempty"`
|
||||||
|
|
||||||
// Disables OCSP stapling. Disabling OCSP stapling puts clients at
|
// Disables OCSP stapling. Disabling OCSP stapling puts clients at
|
||||||
// greater risk, reduces their privacy, and usually lowers client
|
// greater risk, reduces their privacy, and usually lowers client
|
||||||
// performance. It is NOT recommended to disable this unless you
|
// performance. It is NOT recommended to disable this unless you
|
||||||
@ -288,6 +297,7 @@ func (ap *AutomationPolicy) Provision(tlsApp *TLS) error {
|
|||||||
KeySource: keySource,
|
KeySource: keySource,
|
||||||
OnEvent: tlsApp.onEvent,
|
OnEvent: tlsApp.onEvent,
|
||||||
OnDemand: ond,
|
OnDemand: ond,
|
||||||
|
ReusePrivateKeys: ap.ReusePrivateKeys,
|
||||||
OCSP: certmagic.OCSPConfig{
|
OCSP: certmagic.OCSPConfig{
|
||||||
DisableStapling: ap.DisableOCSPStapling,
|
DisableStapling: ap.DisableOCSPStapling,
|
||||||
ResponderOverrides: ap.OCSPOverrides,
|
ResponderOverrides: ap.OCSPOverrides,
|
||||||
|
Loading…
x
Reference in New Issue
Block a user