mirrors/traefik
1
0
Fork 0
mirror of https://github.com/traefik/traefik.git synced 2025-09-23 23:01:14 +02:00
Code Issues Projects Releases Wiki Activity

fix: restrict protocol for TLS Challenge.

Browse Source
This commit is contained in:
Ludovic Fernandez 2020-10-08 13:34:04 +02:00 committed by GitHub
parent 556f7608db
commit d2435cf43b
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
pkg/tls/tlsmanager.go
View File

@ -106,7 +106,7 @@ func (m *Manager) Get(storeName, configName string) (*tls.Config, error) {
tlsConfig.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) { tlsConfig.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
domainToCheck := types.CanonicalDomain(clientHello.ServerName) domainToCheck := types.CanonicalDomain(clientHello.ServerName)
if m.TLSAlpnGetter != nil { if m.TLSAlpnGetter != nil && isACMETLS(clientHello) {
cert, err := m.TLSAlpnGetter(domainToCheck) cert, err := m.TLSAlpnGetter(domainToCheck)
if err != nil { if err != nil {
return nil, err return nil, err
@ -282,3 +282,13 @@ func buildDefaultCertificate(defaultCertificate *Certificate) (*tls.Certificate,
} }
return &cert, nil return &cert, nil
} }
func isACMETLS(clientHello *tls.ClientHelloInfo) bool {
for _, proto := range clientHello.SupportedProtos {
if proto == tlsalpn01.ACMETLS1Protocol {
return true
}
}
return false
}