summarylogtreecommitdiffstats
path: root/latest_tls13.patch
diff options
context:
space:
mode:
Diffstat (limited to 'latest_tls13.patch')
-rw-r--r--latest_tls13.patch249
1 files changed, 249 insertions, 0 deletions
diff --git a/latest_tls13.patch b/latest_tls13.patch
new file mode 100644
index 000000000000..2c606bc7455e
--- /dev/null
+++ b/latest_tls13.patch
@@ -0,0 +1,249 @@
+diff --git a/appveyor.yml b/appveyor.yml
+index b19eb7a..7d04da9 100644
+--- a/appveyor.yml
++++ b/appveyor.yml
+@@ -10,7 +10,7 @@ clone_folder: c:\gopath\src\github.com\mholt\caddy
+ environment:
+ GOPATH: c:\gopath
+
+-stack: go 1.11
++stack: go 1.12
+
+ install:
+ - set PATH=%GOPATH%\bin;%PATH%
+diff --git a/caddyhttp/internalsrv/setup.go b/caddyhttp/internalsrv/setup.go
+index 35c79d2..f70147a 100644
+--- a/caddyhttp/internalsrv/setup.go
++++ b/caddyhttp/internalsrv/setup.go
+@@ -33,7 +33,12 @@ func setup(c *caddy.Controller) error {
+ return err
+ }
+
+- httpserver.GetConfig(c).AddMiddleware(func(next httpserver.Handler) httpserver.Handler {
++ // Append Internal paths to Caddy config HiddenFiles to ensure
++ // files do not appear in Browse
++ config := httpserver.GetConfig(c)
++ config.HiddenFiles = append(config.HiddenFiles, paths...)
++
++ config.AddMiddleware(func(next httpserver.Handler) httpserver.Handler {
+ return Internal{Next: next, Paths: paths}
+ })
+
+diff --git a/caddyhttp/staticfiles/fileserver.go b/caddyhttp/staticfiles/fileserver.go
+index 93a7c6d..0863ebe 100644
+--- a/caddyhttp/staticfiles/fileserver.go
++++ b/caddyhttp/staticfiles/fileserver.go
+@@ -53,7 +53,7 @@ type FileServer struct {
+
+ // ServeHTTP serves static files for r according to fs's configuration.
+ func (fs FileServer) ServeHTTP(w http.ResponseWriter, r *http.Request) (int, error) {
+- if r.Method != "GET" {
++ if r.Method != "GET" && r.Method != "HEAD" {
+ return http.StatusMethodNotAllowed, nil
+ }
+ return fs.serveFile(w, r)
+diff --git a/caddytls/config.go b/caddytls/config.go
+index 77d3795..939f3df 100644
+--- a/caddytls/config.go
++++ b/caddytls/config.go
+@@ -407,7 +407,7 @@ func SetDefaultTLSParams(config *Config) {
+ config.ProtocolMinVersion = tls.VersionTLS12
+ }
+ if config.ProtocolMaxVersion == 0 {
+- config.ProtocolMaxVersion = tls.VersionTLS12
++ config.ProtocolMaxVersion = tls.VersionTLS13
+ }
+
+ // Prefer server cipher suites
+@@ -430,6 +430,7 @@ var SupportedProtocols = map[string]uint16{
+ "tls1.0": tls.VersionTLS10,
+ "tls1.1": tls.VersionTLS11,
+ "tls1.2": tls.VersionTLS12,
++ "tls1.3": tls.VersionTLS13,
+ }
+
+ // GetSupportedProtocolName returns the protocol name
+diff --git a/caddytls/selfsigned.go b/caddytls/selfsigned.go
+index 367cd73..60d5345 100644
+--- a/caddytls/selfsigned.go
++++ b/caddytls/selfsigned.go
+@@ -62,13 +62,10 @@ func newSelfSignedCertificate(ssconfig selfSignedConfig) (tls.Certificate, error
+ if len(ssconfig.SAN) == 0 {
+ ssconfig.SAN = []string{""}
+ }
+- var names []string
+ for _, san := range ssconfig.SAN {
+ if ip := net.ParseIP(san); ip != nil {
+- names = append(names, strings.ToLower(ip.String()))
+ cert.IPAddresses = append(cert.IPAddresses, ip)
+ } else {
+- names = append(names, strings.ToLower(san))
+ cert.DNSNames = append(cert.DNSNames, strings.ToLower(san))
+ }
+ }
+diff --git a/caddytls/setup.go b/caddytls/setup.go
+index 02a694b..798c743 100644
+--- a/caddytls/setup.go
++++ b/caddytls/setup.go
+@@ -34,6 +34,10 @@ import (
+ )
+
+ func init() {
++ // opt-in TLS 1.3 for Go1.12
++ // TODO: remove this line when Go1.13 is released.
++ os.Setenv("GODEBUG", os.Getenv("GODEBUG")+",tls13=1")
++
+ caddy.RegisterPlugin("tls", caddy.Plugin{Action: setupTLS})
+
+ // ensure the default Storage implementation is plugged in
+diff --git a/caddytls/setup_test.go b/caddytls/setup_test.go
+index e973eb2..3c5ded0 100644
+--- a/caddytls/setup_test.go
++++ b/caddytls/setup_test.go
+@@ -75,8 +75,8 @@ func TestSetupParseBasic(t *testing.T) {
+ if cfg.ProtocolMinVersion != tls.VersionTLS12 {
+ t.Errorf("Expected 'tls1.2 (0x0303)' as ProtocolMinVersion, got %#v", cfg.ProtocolMinVersion)
+ }
+- if cfg.ProtocolMaxVersion != tls.VersionTLS12 {
+- t.Errorf("Expected 'tls1.2 (0x0303)' as ProtocolMaxVersion, got %v", cfg.ProtocolMaxVersion)
++ if cfg.ProtocolMaxVersion != tls.VersionTLS13 {
++ t.Errorf("Expected 'tls1.3 (0x0304)' as ProtocolMaxVersion, got %#v", cfg.ProtocolMaxVersion)
+ }
+
+ // Cipher checks
+diff --git a/vendor/github.com/mholt/certmagic/config.go b/vendor/github.com/mholt/certmagic/config.go
+index 77072d4..a6528da 100644
+--- a/vendor/github.com/mholt/certmagic/config.go
++++ b/vendor/github.com/mholt/certmagic/config.go
+@@ -240,6 +240,10 @@ func NewWithCache(certCache *Cache, cfg Config) *Config {
+ // prepared to serve them up during TLS handshakes.
+ func (cfg *Config) Manage(domainNames []string) error {
+ for _, domainName := range domainNames {
++ if !HostQualifies(domainName) {
++ return fmt.Errorf("name does not qualify for automatic certificate management: %s", domainName)
++ }
++
+ // if on-demand is configured, simply whitelist this name
+ if cfg.OnDemand != nil {
+ if !cfg.OnDemand.whitelistContains(domainName) {
+@@ -289,6 +293,9 @@ func (cfg *Config) Manage(domainNames []string) error {
+ // it does not load them into memory. If interactive is true,
+ // the user may be shown a prompt.
+ func (cfg *Config) ObtainCert(name string, interactive bool) error {
++ if cfg.storageHasCertResources(name) {
++ return nil
++ }
+ skip, err := cfg.preObtainOrRenewChecks(name, interactive)
+ if err != nil {
+ return err
+@@ -296,16 +303,10 @@ func (cfg *Config) ObtainCert(name string, interactive bool) error {
+ if skip {
+ return nil
+ }
+-
+- if cfg.storageHasCertResources(name) {
+- return nil
+- }
+-
+ client, err := cfg.newACMEClient(interactive)
+ if err != nil {
+ return err
+ }
+-
+ return client.Obtain(name)
+ }
+
+diff --git a/vendor/github.com/mholt/certmagic/user.go b/vendor/github.com/mholt/certmagic/user.go
+index 9055a15..e5852d5 100644
+--- a/vendor/github.com/mholt/certmagic/user.go
++++ b/vendor/github.com/mholt/certmagic/user.go
+@@ -84,10 +84,11 @@ func (cfg *Config) getEmail(allowPrompts bool) error {
+ leEmail = Email
+ }
+ // Then try to get most recent user email from storage
++ var gotRecentEmail bool
+ if leEmail == "" {
+- leEmail = cfg.mostRecentUserEmail()
++ leEmail, gotRecentEmail = cfg.mostRecentUserEmail()
+ }
+- if leEmail == "" && allowPrompts {
++ if !gotRecentEmail && leEmail == "" && allowPrompts {
+ // Looks like there is no email address readily available,
+ // so we will have to ask the user if we can.
+ var err error
+@@ -95,10 +96,14 @@ func (cfg *Config) getEmail(allowPrompts bool) error {
+ if err != nil {
+ return err
+ }
+- cfg.Agreed = true
+ }
+- // lower-casing the email is important for consistency
+- cfg.Email = strings.ToLower(leEmail)
++
++ // save the email for later and ensure it is consistent
++ // for repeated use; then update cfg with our new defaults
++ Email = strings.TrimSpace(strings.ToLower(leEmail))
++ cfg.Email = Email
++ cfg.Agreed = Agreed
++
+ return nil
+ }
+
+@@ -123,6 +128,11 @@ func (cfg *Config) getAgreementURL() (string, error) {
+ return dir.Meta.TermsOfService, nil
+ }
+
++// promptUserForEmail prompts the user for an email address
++// and returns the email address they entered (which could
++// be the empty string). If no error is returned, then Agreed
++// will also be set to true, since continuing through the
++// prompt signifies agreement.
+ func (cfg *Config) promptUserForEmail() (string, error) {
+ agreementURL, err := cfg.getAgreementURL()
+ if err != nil {
+@@ -139,6 +149,7 @@ func (cfg *Config) promptUserForEmail() (string, error) {
+ return "", fmt.Errorf("reading email address: %v", err)
+ }
+ leEmail = strings.TrimSpace(leEmail)
++ Agreed = true
+ return leEmail, nil
+ }
+
+@@ -234,10 +245,10 @@ func (cfg *Config) askUserAgreement(agreementURL string) bool {
+ // in s. Since this is part of a complex sequence to get a user
+ // account, errors here are discarded to simplify code flow in
+ // the caller, and errors are not important here anyway.
+-func (cfg *Config) mostRecentUserEmail() string {
++func (cfg *Config) mostRecentUserEmail() (string, bool) {
+ userList, err := cfg.certCache.storage.List(StorageKeys.UsersPrefix(cfg.CA), false)
+ if err != nil || len(userList) == 0 {
+- return ""
++ return "", false
+ }
+ sort.Slice(userList, func(i, j int) bool {
+ iInfo, _ := cfg.certCache.storage.Stat(userList[i])
+@@ -246,9 +257,9 @@ func (cfg *Config) mostRecentUserEmail() string {
+ })
+ user, err := cfg.getUser(path.Base(userList[0]))
+ if err != nil {
+- return ""
++ return "", false
+ }
+- return user.Email
++ return user.Email, true
+ }
+
+ // agreementTestURL is set during tests to skip requiring
+diff --git a/vendor/manifest b/vendor/manifest
+index 0abcba8..d00333f 100644
+--- a/vendor/manifest
++++ b/vendor/manifest
+@@ -138,7 +138,7 @@
+ "importpath": "github.com/mholt/certmagic",
+ "repository": "https://github.com/mholt/certmagic",
+ "vcs": "git",
+- "revision": "a7f18a937c080b88693cd4e14d48e42cc067b268",
++ "revision": "e3e89d1096d76d61680f8eeb8f67649baa6c54b8",
+ "branch": "master",
+ "notests": true
+ },