diff options
author | 2019-05-31 09:30:15 -0700 | |
---|---|---|
committer | 2019-05-31 09:30:15 -0700 | |
commit | a6d9adbf4a72b20097c9c67e438675f7af76618b (patch) | |
tree | 944d205756a7f22497c273fe79315331c478f858 /plugin/tls/tls.go | |
parent | 5565ca1c0342b71fbd708aea6085b7472020db97 (diff) | |
download | coredns-a6d9adbf4a72b20097c9c67e438675f7af76618b.tar.gz coredns-a6d9adbf4a72b20097c9c67e438675f7af76618b.tar.zst coredns-a6d9adbf4a72b20097c9c67e438675f7af76618b.zip |
make sure client CA and auth type are set if CA is explicitly specified. (#2825)
* make sure client CA and auth type are set if CA is explicitly specified.
added some simple tests to confirm the effect.
* test certificates (forgot to add them in the previous commit)
* made client auth policy configurable with new client_auth option.
README has been updated accordingly.
* fix editorial in README
Diffstat (limited to 'plugin/tls/tls.go')
-rw-r--r-- | plugin/tls/tls.go | 41 |
1 files changed, 40 insertions, 1 deletions
diff --git a/plugin/tls/tls.go b/plugin/tls/tls.go index e08e522ab..cde543ea0 100644 --- a/plugin/tls/tls.go +++ b/plugin/tls/tls.go @@ -1,6 +1,8 @@ package tls import ( + ctls "crypto/tls" + "github.com/coredns/coredns/core/dnsserver" "github.com/coredns/coredns/plugin" "github.com/coredns/coredns/plugin/pkg/tls" @@ -16,6 +18,14 @@ func init() { } func setup(c *caddy.Controller) error { + err := parseTLS(c) + if err != nil { + return plugin.Error("tls", err) + } + return nil +} + +func parseTLS(c *caddy.Controller) error { config := dnsserver.GetConfig(c) if config.TLSConfig != nil { @@ -27,10 +37,39 @@ func setup(c *caddy.Controller) error { if len(args) < 2 || len(args) > 3 { return plugin.Error("tls", c.ArgErr()) } + clientAuth := ctls.NoClientCert + for c.NextBlock() { + switch c.Val() { + case "client_auth": + authTypeArgs := c.RemainingArgs() + if len(authTypeArgs) != 1 { + return c.ArgErr() + } + switch authTypeArgs[0] { + case "nocert": + clientAuth = ctls.NoClientCert + case "request": + clientAuth = ctls.RequestClientCert + case "require": + clientAuth = ctls.RequireAnyClientCert + case "verify_if_given": + clientAuth = ctls.VerifyClientCertIfGiven + case "require_and_verify": + clientAuth = ctls.RequireAndVerifyClientCert + default: + return c.Errf("unknown authentication type '%s'", authTypeArgs[0]) + } + default: + return c.Errf("unknown option '%s'", c.Val()) + } + } tls, err := tls.NewTLSConfigFromArgs(args...) if err != nil { - return plugin.Error("tls", err) + return err } + tls.ClientAuth = clientAuth + // NewTLSConfigFromArgs only sets RootCAs, so we need to let ClientCAs refer to it. + tls.ClientCAs = tls.RootCAs config.TLSConfig = tls } return nil |