diff options
-rw-r--r-- | .SRCINFO | 4 | ||||
-rw-r--r-- | PKGBUILD | 10 | ||||
-rw-r--r-- | latest_tls13.patch | 249 |
3 files changed, 259 insertions, 4 deletions
@@ -1,7 +1,7 @@ pkgbase = caddy-with-cgi pkgdesc = HTTP/2 Web Server with Automatic HTTPS, with caddy-cgi plugin and gcc-go support pkgver = 0.11.4 - pkgrel = 2 + pkgrel = 3 url = https://caddyserver.com install = caddy.install arch = i686 @@ -21,6 +21,7 @@ pkgbase = caddy-with-cgi source = caddy.tmpfiles source = caddy.conf source = default_nocbc.patch + source = latest_tls13.patch source = noquic_aesni.patch source = plugins.patch sha256sums = 5f95c5dc8e0d6a63ae067bdfa42f78a4ca467cfff5407934582f1133ffcda532 @@ -31,6 +32,7 @@ pkgbase = caddy-with-cgi sha256sums = bd4d912d083be176727882ccc1bbe577a27cc160db09238e5edc05ba458aebce sha256sums = 80520b80ccabf077a3269f6a1bf55faa3811ef5adce115131b35ef2044d37b64 sha256sums = 35410797a8deb629a974dbbf4b3784c3237d3db8d9c7c589ba85e8b9dddf2be0 + sha256sums = 75f0f3744117d9423b629e67e8dcee71e52791751be822fbd524a29f9f3a7575 sha256sums = f3f9fa975a174928d727f3040fa28e2fbd073b1f4ebd3a68fa43b0aebb90eb64 sha256sums = c8d56b2295e04720ae8fe9493a7931bb2dba5c568fbcae469887ac143bd6b934 @@ -10,7 +10,7 @@ _cgipkgname='github.com/jung-kurt/caddy-cgi' # build some asm files needed by quic-go if `pacman -Qq gcc-go >/dev/null 2>/dev/null` then - NOQUIC=y + USING_GCCGO=y GOFLAGS="-gccgoflags -O2" fi @@ -18,7 +18,7 @@ pkgname=caddy-with-cgi _pkgbase=caddy pkgver=0.11.4 _cgiver=1.10 -pkgrel=2 +pkgrel=3 pkgdesc='HTTP/2 Web Server with Automatic HTTPS, with caddy-cgi plugin and gcc-go support' arch=('i686' 'x86_64' 'armv7h' 'aarch64') url='https://caddyserver.com' @@ -36,6 +36,7 @@ source=("https://$_gopkgname/archive/v$pkgver/$_pkgbase-$pkgver.tar.gz" 'caddy.tmpfiles' 'caddy.conf' 'default_nocbc.patch' + 'latest_tls13.patch' 'noquic_aesni.patch' 'plugins.patch') sha256sums=('5f95c5dc8e0d6a63ae067bdfa42f78a4ca467cfff5407934582f1133ffcda532' @@ -46,6 +47,7 @@ sha256sums=('5f95c5dc8e0d6a63ae067bdfa42f78a4ca467cfff5407934582f1133ffcda532' 'bd4d912d083be176727882ccc1bbe577a27cc160db09238e5edc05ba458aebce' '80520b80ccabf077a3269f6a1bf55faa3811ef5adce115131b35ef2044d37b64' '35410797a8deb629a974dbbf4b3784c3237d3db8d9c7c589ba85e8b9dddf2be0' + '75f0f3744117d9423b629e67e8dcee71e52791751be822fbd524a29f9f3a7575' 'f3f9fa975a174928d727f3040fa28e2fbd073b1f4ebd3a68fa43b0aebb90eb64' 'c8d56b2295e04720ae8fe9493a7931bb2dba5c568fbcae469887ac143bd6b934') @@ -61,9 +63,11 @@ prepare() { # fix rewrite: rewrite the URI instead of just the path # https://github.com/mholt/caddy/issues/2129 sed -i 's/URL.Path/URL.RequestURI()/g' caddyhttp/rewrite/rewrite.go - if [ "$NOQUIC" == y ] + if [ "$USING_GCCGO" == y ] then patch -p1 -i "$srcdir/noquic_aesni.patch" + else + patch -p1 -i "$srcdir/latest_tls13.patch" fi } diff --git a/latest_tls13.patch b/latest_tls13.patch new file mode 100644 index 000000000000..2c606bc7455e --- /dev/null +++ b/latest_tls13.patch @@ -0,0 +1,249 @@ +diff --git a/appveyor.yml b/appveyor.yml +index b19eb7a..7d04da9 100644 +--- a/appveyor.yml ++++ b/appveyor.yml +@@ -10,7 +10,7 @@ clone_folder: c:\gopath\src\github.com\mholt\caddy + environment: + GOPATH: c:\gopath + +-stack: go 1.11 ++stack: go 1.12 + + install: + - set PATH=%GOPATH%\bin;%PATH% +diff --git a/caddyhttp/internalsrv/setup.go b/caddyhttp/internalsrv/setup.go +index 35c79d2..f70147a 100644 +--- a/caddyhttp/internalsrv/setup.go ++++ b/caddyhttp/internalsrv/setup.go +@@ -33,7 +33,12 @@ func setup(c *caddy.Controller) error { + return err + } + +- httpserver.GetConfig(c).AddMiddleware(func(next httpserver.Handler) httpserver.Handler { ++ // Append Internal paths to Caddy config HiddenFiles to ensure ++ // files do not appear in Browse ++ config := httpserver.GetConfig(c) ++ config.HiddenFiles = append(config.HiddenFiles, paths...) ++ ++ config.AddMiddleware(func(next httpserver.Handler) httpserver.Handler { + return Internal{Next: next, Paths: paths} + }) + +diff --git a/caddyhttp/staticfiles/fileserver.go b/caddyhttp/staticfiles/fileserver.go +index 93a7c6d..0863ebe 100644 +--- a/caddyhttp/staticfiles/fileserver.go ++++ b/caddyhttp/staticfiles/fileserver.go +@@ -53,7 +53,7 @@ type FileServer struct { + + // ServeHTTP serves static files for r according to fs's configuration. + func (fs FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) { +- if r.Method != "GET" { ++ if r.Method != "GET" && r.Method != "HEAD" { + return http.StatusMethodNotAllowed, nil + } + return fs.serveFile(w, r) +diff --git a/caddytls/config.go b/caddytls/config.go +index 77d3795..939f3df 100644 +--- a/caddytls/config.go ++++ b/caddytls/config.go +@@ -407,7 +407,7 @@ func SetDefaultTLSParams(config *Config) { + config.ProtocolMinVersion = tls.VersionTLS12 + } + if config.ProtocolMaxVersion == 0 { +- config.ProtocolMaxVersion = tls.VersionTLS12 ++ config.ProtocolMaxVersion = tls.VersionTLS13 + } + + // Prefer server cipher suites +@@ -430,6 +430,7 @@ var SupportedProtocols = map[string]uint16{ + "tls1.0": tls.VersionTLS10, + "tls1.1": tls.VersionTLS11, + "tls1.2": tls.VersionTLS12, ++ "tls1.3": tls.VersionTLS13, + } + + // GetSupportedProtocolName returns the protocol name +diff --git a/caddytls/selfsigned.go b/caddytls/selfsigned.go +index 367cd73..60d5345 100644 +--- a/caddytls/selfsigned.go ++++ b/caddytls/selfsigned.go +@@ -62,13 +62,10 @@ func newSelfSignedCertificate(ssconfig selfSignedConfig) (tls.Certificate, error + if len(ssconfig.SAN) == 0 { + ssconfig.SAN = []string{""} + } +- var names []string + for _, san := range ssconfig.SAN { + if ip := net.ParseIP(san); ip != nil { +- names = append(names, strings.ToLower(ip.String())) + cert.IPAddresses = append(cert.IPAddresses, ip) + } else { +- names = append(names, strings.ToLower(san)) + cert.DNSNames = append(cert.DNSNames, strings.ToLower(san)) + } + } +diff --git a/caddytls/setup.go b/caddytls/setup.go +index 02a694b..798c743 100644 +--- a/caddytls/setup.go ++++ b/caddytls/setup.go +@@ -34,6 +34,10 @@ import ( + ) + + func init() { ++ // opt-in TLS 1.3 for Go1.12 ++ // TODO: remove this line when Go1.13 is released. ++ os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1") ++ + caddy.RegisterPlugin("tls", caddy.Plugin{Action: setupTLS}) + + // ensure the default Storage implementation is plugged in +diff --git a/caddytls/setup_test.go b/caddytls/setup_test.go +index e973eb2..3c5ded0 100644 +--- a/caddytls/setup_test.go ++++ b/caddytls/setup_test.go +@@ -75,8 +75,8 @@ func TestSetupParseBasic(t *testing.T) { + if cfg.ProtocolMinVersion != tls.VersionTLS12 { + t.Errorf("Expected 'tls1.2 (0x0303)' as ProtocolMinVersion, got %#v", cfg.ProtocolMinVersion) + } +- if cfg.ProtocolMaxVersion != tls.VersionTLS12 { +- t.Errorf("Expected 'tls1.2 (0x0303)' as ProtocolMaxVersion, got %v", cfg.ProtocolMaxVersion) ++ if cfg.ProtocolMaxVersion != tls.VersionTLS13 { ++ t.Errorf("Expected 'tls1.3 (0x0304)' as ProtocolMaxVersion, got %#v", cfg.ProtocolMaxVersion) + } + + // Cipher checks +diff --git a/vendor/github.com/mholt/certmagic/config.go b/vendor/github.com/mholt/certmagic/config.go +index 77072d4..a6528da 100644 +--- a/vendor/github.com/mholt/certmagic/config.go ++++ b/vendor/github.com/mholt/certmagic/config.go +@@ -240,6 +240,10 @@ func NewWithCache(certCache *Cache, cfg Config) *Config { + // prepared to serve them up during TLS handshakes. + func (cfg *Config) Manage(domainNames []string) error { + for _, domainName := range domainNames { ++ if !HostQualifies(domainName) { ++ return fmt.Errorf("name does not qualify for automatic certificate management: %s", domainName) ++ } ++ + // if on-demand is configured, simply whitelist this name + if cfg.OnDemand != nil { + if !cfg.OnDemand.whitelistContains(domainName) { +@@ -289,6 +293,9 @@ func (cfg *Config) Manage(domainNames []string) error { + // it does not load them into memory. If interactive is true, + // the user may be shown a prompt. + func (cfg *Config) ObtainCert(name string, interactive bool) error { ++ if cfg.storageHasCertResources(name) { ++ return nil ++ } + skip, err := cfg.preObtainOrRenewChecks(name, interactive) + if err != nil { + return err +@@ -296,16 +303,10 @@ func (cfg *Config) ObtainCert(name string, interactive bool) error { + if skip { + return nil + } +- +- if cfg.storageHasCertResources(name) { +- return nil +- } +- + client, err := cfg.newACMEClient(interactive) + if err != nil { + return err + } +- + return client.Obtain(name) + } + +diff --git a/vendor/github.com/mholt/certmagic/user.go b/vendor/github.com/mholt/certmagic/user.go +index 9055a15..e5852d5 100644 +--- a/vendor/github.com/mholt/certmagic/user.go ++++ b/vendor/github.com/mholt/certmagic/user.go +@@ -84,10 +84,11 @@ func (cfg *Config) getEmail(allowPrompts bool) error { + leEmail = Email + } + // Then try to get most recent user email from storage ++ var gotRecentEmail bool + if leEmail == "" { +- leEmail = cfg.mostRecentUserEmail() ++ leEmail, gotRecentEmail = cfg.mostRecentUserEmail() + } +- if leEmail == "" && allowPrompts { ++ if !gotRecentEmail && leEmail == "" && allowPrompts { + // Looks like there is no email address readily available, + // so we will have to ask the user if we can. + var err error +@@ -95,10 +96,14 @@ func (cfg *Config) getEmail(allowPrompts bool) error { + if err != nil { + return err + } +- cfg.Agreed = true + } +- // lower-casing the email is important for consistency +- cfg.Email = strings.ToLower(leEmail) ++ ++ // save the email for later and ensure it is consistent ++ // for repeated use; then update cfg with our new defaults ++ Email = strings.TrimSpace(strings.ToLower(leEmail)) ++ cfg.Email = Email ++ cfg.Agreed = Agreed ++ + return nil + } + +@@ -123,6 +128,11 @@ func (cfg *Config) getAgreementURL() (string, error) { + return dir.Meta.TermsOfService, nil + } + ++// promptUserForEmail prompts the user for an email address ++// and returns the email address they entered (which could ++// be the empty string). If no error is returned, then Agreed ++// will also be set to true, since continuing through the ++// prompt signifies agreement. + func (cfg *Config) promptUserForEmail() (string, error) { + agreementURL, err := cfg.getAgreementURL() + if err != nil { +@@ -139,6 +149,7 @@ func (cfg *Config) promptUserForEmail() (string, error) { + return "", fmt.Errorf("reading email address: %v", err) + } + leEmail = strings.TrimSpace(leEmail) ++ Agreed = true + return leEmail, nil + } + +@@ -234,10 +245,10 @@ func (cfg *Config) askUserAgreement(agreementURL string) bool { + // in s. Since this is part of a complex sequence to get a user + // account, errors here are discarded to simplify code flow in + // the caller, and errors are not important here anyway. +-func (cfg *Config) mostRecentUserEmail() string { ++func (cfg *Config) mostRecentUserEmail() (string, bool) { + userList, err := cfg.certCache.storage.List(StorageKeys.UsersPrefix(cfg.CA), false) + if err != nil || len(userList) == 0 { +- return "" ++ return "", false + } + sort.Slice(userList, func(i, j int) bool { + iInfo, _ := cfg.certCache.storage.Stat(userList[i]) +@@ -246,9 +257,9 @@ func (cfg *Config) mostRecentUserEmail() string { + }) + user, err := cfg.getUser(path.Base(userList[0])) + if err != nil { +- return "" ++ return "", false + } +- return user.Email ++ return user.Email, true + } + + // agreementTestURL is set during tests to skip requiring +diff --git a/vendor/manifest b/vendor/manifest +index 0abcba8..d00333f 100644 +--- a/vendor/manifest ++++ b/vendor/manifest +@@ -138,7 +138,7 @@ + "importpath": "github.com/mholt/certmagic", + "repository": "https://github.com/mholt/certmagic", + "vcs": "git", +- "revision": "a7f18a937c080b88693cd4e14d48e42cc067b268", ++ "revision": "e3e89d1096d76d61680f8eeb8f67649baa6c54b8", + "branch": "master", + "notests": true + }, |