aboutsummaryrefslogtreecommitdiff
path: root/plugin/tls/tls.go
diff options
context:
space:
mode:
authorGravatar JINMEI Tatuya <jtatuya@infoblox.com> 2019-05-31 09:30:15 -0700
committerGravatar John Belamaric <jbelamaric@google.com> 2019-05-31 09:30:15 -0700
commita6d9adbf4a72b20097c9c67e438675f7af76618b (patch)
tree944d205756a7f22497c273fe79315331c478f858 /plugin/tls/tls.go
parent5565ca1c0342b71fbd708aea6085b7472020db97 (diff)
downloadcoredns-a6d9adbf4a72b20097c9c67e438675f7af76618b.tar.gz
coredns-a6d9adbf4a72b20097c9c67e438675f7af76618b.tar.zst
coredns-a6d9adbf4a72b20097c9c67e438675f7af76618b.zip
make sure client CA and auth type are set if CA is explicitly specified. (#2825)
* make sure client CA and auth type are set if CA is explicitly specified. added some simple tests to confirm the effect. * test certificates (forgot to add them in the previous commit) * made client auth policy configurable with new client_auth option. README has been updated accordingly. * fix editorial in README
Diffstat (limited to 'plugin/tls/tls.go')
-rw-r--r--plugin/tls/tls.go41
1 files changed, 40 insertions, 1 deletions
diff --git a/plugin/tls/tls.go b/plugin/tls/tls.go
index e08e522ab..cde543ea0 100644
--- a/plugin/tls/tls.go
+++ b/plugin/tls/tls.go
@@ -1,6 +1,8 @@
package tls
import (
+ ctls "crypto/tls"
+
"github.com/coredns/coredns/core/dnsserver"
"github.com/coredns/coredns/plugin"
"github.com/coredns/coredns/plugin/pkg/tls"
@@ -16,6 +18,14 @@ func init() {
}
func setup(c *caddy.Controller) error {
+ err := parseTLS(c)
+ if err != nil {
+ return plugin.Error("tls", err)
+ }
+ return nil
+}
+
+func parseTLS(c *caddy.Controller) error {
config := dnsserver.GetConfig(c)
if config.TLSConfig != nil {
@@ -27,10 +37,39 @@ func setup(c *caddy.Controller) error {
if len(args) < 2 || len(args) > 3 {
return plugin.Error("tls", c.ArgErr())
}
+ clientAuth := ctls.NoClientCert
+ for c.NextBlock() {
+ switch c.Val() {
+ case "client_auth":
+ authTypeArgs := c.RemainingArgs()
+ if len(authTypeArgs) != 1 {
+ return c.ArgErr()
+ }
+ switch authTypeArgs[0] {
+ case "nocert":
+ clientAuth = ctls.NoClientCert
+ case "request":
+ clientAuth = ctls.RequestClientCert
+ case "require":
+ clientAuth = ctls.RequireAnyClientCert
+ case "verify_if_given":
+ clientAuth = ctls.VerifyClientCertIfGiven
+ case "require_and_verify":
+ clientAuth = ctls.RequireAndVerifyClientCert
+ default:
+ return c.Errf("unknown authentication type '%s'", authTypeArgs[0])
+ }
+ default:
+ return c.Errf("unknown option '%s'", c.Val())
+ }
+ }
tls, err := tls.NewTLSConfigFromArgs(args...)
if err != nil {
- return plugin.Error("tls", err)
+ return err
}
+ tls.ClientAuth = clientAuth
+ // NewTLSConfigFromArgs only sets RootCAs, so we need to let ClientCAs refer to it.
+ tls.ClientCAs = tls.RootCAs
config.TLSConfig = tls
}
return nil