tls: Per-site TLS configs using GetClientConfig, including http2 switch (#1389)

* Remove manual TLS clone method

* WiP tls

* Use GetClientConfig for tls.Config

* gofmt -s -w

* GetConfig

* Handshake

* Removed comment

* Disable HTTP2 on demand

* Remove junk

* Remove http2 enable (no-op)

caddytls/config_test.go

@@ -10,14 +10,12 @@ import (
 
 func TestMakeTLSConfigProtocolVersions(t *testing.T) {
 	// same min and max protocol versions
-	configs := []*Config{
-		{
-			Enabled:            true,
-			ProtocolMinVersion: tls.VersionTLS12,
-			ProtocolMaxVersion: tls.VersionTLS12,
-		},
+	config := Config{
+		Enabled:            true,
+		ProtocolMinVersion: tls.VersionTLS12,
+		ProtocolMaxVersion: tls.VersionTLS12,
 	}
-	result, err := MakeTLSConfig(configs)
+	result, err := config.build()
 	if err != nil {
 		t.Fatalf("Did not expect an error, but got %v", err)
 	}
@@ -31,28 +29,14 @@ func TestMakeTLSConfigProtocolVersions(t *testing.T) {
 
 func TestMakeTLSConfigPreferServerCipherSuites(t *testing.T) {
 	// prefer server cipher suites
-	configs := []*Config{{Enabled: true, PreferServerCipherSuites: true}}
-	result, err := MakeTLSConfig(configs)
+	config := Config{Enabled: true, PreferServerCipherSuites: true}
+	result, err := config.build()
 	if err != nil {
 		t.Fatalf("Did not expect an error, but got %v", err)
 	}
 	if got, want := result.PreferServerCipherSuites, true; got != want {
 		t.Errorf("Expected PreferServerCipherSuites==%v but got %v", want, got)
 	}
-
-	// make sure we don't get an error if there's a conflict
-	// when both of the configs have TLS disabled
-	configs = []*Config{
-		{Enabled: false, PreferServerCipherSuites: false},
-		{Enabled: false, PreferServerCipherSuites: true},
-	}
-	result, err = MakeTLSConfig(configs)
-	if err != nil {
-		t.Fatalf("Did not expect an error when TLS is disabled, but got '%v'", err)
-	}
-	if result != nil {
-		t.Errorf("Expected nil result because TLS disabled, got: %+v", err)
-	}
 }
 
 func TestMakeTLSConfigTLSEnabledDisabled(t *testing.T) {
@@ -61,20 +45,10 @@ func TestMakeTLSConfigTLSEnabledDisabled(t *testing.T) {
 		{Enabled: true},
 		{Enabled: false},
 	}
-	_, err := MakeTLSConfig(configs)
+	err := CheckConfigs(configs)
 	if err == nil {
 		t.Fatalf("Expected an error, but got %v", err)
 	}
-
-	// verify that when disabled, a nil pair is returned
-	configs = []*Config{{}, {}}
-	result, err := MakeTLSConfig(configs)
-	if err != nil {
-		t.Errorf("Did not expect an error, but got %v", err)
-	}
-	if result != nil {
-		t.Errorf("Expected a nil *tls.Config result, got %+v", result)
-	}
 }
 
 func TestMakeTLSConfigCipherSuites(t *testing.T) {
@@ -83,25 +57,22 @@ func TestMakeTLSConfigCipherSuites(t *testing.T) {
 	configs := []*Config{
 		{Enabled: true, Ciphers: []uint16{0xc02c, 0xc030}},
 		{Enabled: true, Ciphers: []uint16{0xc012, 0xc030, 0xc00a}},
-	}
-	result, err := MakeTLSConfig(configs)
-	if err != nil {
-		t.Fatalf("Did not expect an error, but got %v", err)
-	}
-	expected := []uint16{tls.TLS_FALLBACK_SCSV, 0xc02c, 0xc030, 0xc012, 0xc00a}
-	if !reflect.DeepEqual(result.CipherSuites, expected) {
-		t.Errorf("Expected ciphers %v but got %v", expected, result.CipherSuites)
+		{Enabled: true, Ciphers: nil},
 	}
 
-	// use default suites if none specified
-	configs = []*Config{{Enabled: true}}
-	result, err = MakeTLSConfig(configs)
-	if err != nil {
-		t.Fatalf("Did not expect an error, but got %v", err)
+	expectedCiphers := [][]uint16{
+		{tls.TLS_FALLBACK_SCSV, 0xc02c, 0xc030},
+		{tls.TLS_FALLBACK_SCSV, 0xc012, 0xc030, 0xc00a},
+		append([]uint16{tls.TLS_FALLBACK_SCSV}, defaultCiphers...),
 	}
-	expected = append([]uint16{tls.TLS_FALLBACK_SCSV}, defaultCiphers...)
-	if !reflect.DeepEqual(result.CipherSuites, expected) {
-		t.Errorf("Expected default ciphers %v but got %v", expected, result.CipherSuites)
+
+	for i, config := range configs {
+		cfg, _ := config.build()
+
+		if !reflect.DeepEqual(cfg.CipherSuites, expectedCiphers[i]) {
+			t.Errorf("Expected ciphers %v but got %v", expectedCiphers[i], cfg.CipherSuites)
+		}
+
 	}
 }