Initial implementation of TLS client authentication (#2731)

* Add support for client TLS authentication Signed-off-by: Alexandre Stein <alexandre_stein@interlab-net.com> * make and use client authentication struct * force StrictSNIHost if TLSConnPolicies is not empty * Implement leafs verification * Fixes issue when using multiple verification * applies the comments from maintainers * Apply comment * Refactor/cleanup initial TLS client auth implementation
2025-05-30 15:58:10 +08:00 · 2019-09-03 17:35:36 +02:00
parent 8e821b5039
commit 50961ecc77
3 changed files with 155 additions and 17 deletions
--- a/modules/caddyhttp/server.go
+++ b/modules/caddyhttp/server.go
@ -40,7 +40,7 @@ type Server struct {
 	TLSConnPolicies   caddytls.ConnectionPolicies `json:"tls_connection_policies,omitempty"`
 	AutoHTTPS         *AutoHTTPSConfig            `json:"automatic_https,omitempty"`
 	MaxRehandles      *int                        `json:"max_rehandles,omitempty"`
-	StrictSNIHost     bool                        `json:"strict_sni_host,omitempty"` // TODO: see if we can turn this on by default when clientauth is configured
+	StrictSNIHost     bool                        `json:"strict_sni_host,omitempty"`

 	tlsApp *caddytls.TLS
 }
@ -181,6 +181,15 @@ func (s *Server) listenersUseAnyPortOtherThan(otherPort int) bool {
 	return false
 }

+func (s *Server) hasTLSClientAuth() bool {
+	for _, cp := range s.TLSConnPolicies {
+		if cp.Active() {
+			return true
+		}
+	}
+	return false
+}
+
 // AutoHTTPSConfig is used to disable automatic HTTPS
 // or certain aspects of it for a specific server.
 type AutoHTTPSConfig struct {