CERBERUS/caddy
1
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2026-06-29 13:21:51 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

tls: Add insecure_disable_sni_matching subdirective (#3075)

Browse source 
* Disable StrictHostMatching for single server configs

* Add the insecure_disable_sni_matching directive

* Do not override insecure_disable_sni_matching

* Remove comment
This commit is contained in:
Daniel Santos 2020-02-25 16:04:59 -07:00 committed by GitHub
parent c953d17bcc
commit 4fbdd23283
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 16 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

7
caddyhttp/httpserver/plugin.go
View file

@ -251,7 +251,6 @@ func (h *httpContext) MakeServers() ([]caddy.Server, error) {
// 2) if QUIC is enabled, TLS ClientAuth is not, because
// currently, QUIC does not support ClientAuth (TODO:
// revisit this when our QUIC implementation supports it)
// 3) if TLS ClientAuth is used, StrictHostMatching is on
var atLeastOneSiteLooksLikeProduction bool
for _, cfg := range h.siteConfigs {
// see if all the addresses (both sites and
@ -292,12 +291,6 @@ func (h *httpContext) MakeServers() ([]caddy.Server, error) {
if QUIC {
return nil, fmt.Errorf("cannot enable TLS client authentication with QUIC, because QUIC does not yet support it")
}
// this must be enabled so that a client cannot connect
// using SNI for another site on this listener that
// does NOT require ClientAuth, and then send HTTP
// requests with the Host header of this site which DOES
// require client auth, thus bypassing it...
cfg.StrictHostMatching = true
}
}