2019-03-14 11:30:04 +03:00
package tls
import (
2019-09-13 20:28:04 +03:00
"context"
2019-03-14 11:30:04 +03:00
"crypto/tls"
"crypto/x509"
2019-07-12 18:50:04 +03:00
"errors"
2019-03-14 11:30:04 +03:00
"fmt"
"sync"
2020-09-04 11:52:03 +03:00
"github.com/go-acme/lego/v4/challenge/tlsalpn01"
2019-03-14 11:30:04 +03:00
"github.com/sirupsen/logrus"
2020-09-16 16:46:04 +03:00
"github.com/traefik/traefik/v2/pkg/log"
"github.com/traefik/traefik/v2/pkg/tls/generate"
"github.com/traefik/traefik/v2/pkg/types"
2019-03-14 11:30:04 +03:00
)
2021-06-14 11:06:05 +03:00
const (
// DefaultTLSConfigName is the name of the default set of options for configuring TLS.
DefaultTLSConfigName = "default"
// DefaultTLSStoreName is the name of the default store of TLS certificates.
// Note that it actually is the only usable one for now.
DefaultTLSStoreName = "default"
)
2019-11-14 18:40:05 +03:00
// DefaultTLSOptions the default TLS options.
var DefaultTLSOptions = Options { }
2020-05-11 13:06:07 +03:00
// Manager is the TLS option/store/configuration factory.
2019-03-14 11:30:04 +03:00
type Manager struct {
2021-06-14 11:06:05 +03:00
lock sync . RWMutex
2020-10-29 17:40:04 +03:00
storesConfig map [ string ] Store
stores map [ string ] * CertificateStore
configs map [ string ] Options
certs [ ] * CertAndStores
2019-03-14 11:30:04 +03:00
}
2020-05-11 13:06:07 +03:00
// NewManager creates a new Manager.
2019-03-14 11:30:04 +03:00
func NewManager ( ) * Manager {
2019-11-14 18:40:05 +03:00
return & Manager {
stores : map [ string ] * CertificateStore { } ,
configs : map [ string ] Options {
"default" : DefaultTLSOptions ,
} ,
}
2019-03-14 11:30:04 +03:00
}
2020-05-11 13:06:07 +03:00
// UpdateConfigs updates the TLS* configuration options.
2021-06-14 11:06:05 +03:00
// It initializes the default TLS store, and the TLS store for the ACME challenges.
2019-09-13 20:28:04 +03:00
func ( m * Manager ) UpdateConfigs ( ctx context . Context , stores map [ string ] Store , configs map [ string ] Options , certs [ ] * CertAndStores ) {
2019-03-14 11:30:04 +03:00
m . lock . Lock ( )
defer m . lock . Unlock ( )
m . configs = configs
m . storesConfig = stores
m . certs = certs
2021-06-14 11:06:05 +03:00
if m . storesConfig == nil {
m . storesConfig = make ( map [ string ] Store )
}
if _ , ok := m . storesConfig [ DefaultTLSStoreName ] ; ! ok {
m . storesConfig [ DefaultTLSStoreName ] = Store { }
}
if _ , ok := m . storesConfig [ tlsalpn01 . ACMETLS1Protocol ] ; ! ok {
m . storesConfig [ tlsalpn01 . ACMETLS1Protocol ] = Store { }
}
2019-03-14 11:30:04 +03:00
m . stores = make ( map [ string ] * CertificateStore )
for storeName , storeConfig := range m . storesConfig {
2019-09-13 20:28:04 +03:00
ctxStore := log . With ( ctx , log . Str ( log . TLSStoreName , storeName ) )
2021-06-14 11:06:05 +03:00
store , err := buildCertificateStore ( ctxStore , storeConfig , storeName )
2019-03-14 11:30:04 +03:00
if err != nil {
2019-09-13 20:28:04 +03:00
log . FromContext ( ctxStore ) . Errorf ( "Error while creating certificate store: %v" , err )
2019-06-21 17:32:04 +03:00
continue
2019-03-14 11:30:04 +03:00
}
2019-06-21 17:32:04 +03:00
m . stores [ storeName ] = store
2019-03-14 11:30:04 +03:00
}
storesCertificates := make ( map [ string ] map [ string ] * tls . Certificate )
for _ , conf := range certs {
if len ( conf . Stores ) == 0 {
if log . GetLevel ( ) >= logrus . DebugLevel {
2019-09-13 20:28:04 +03:00
log . FromContext ( ctx ) . Debugf ( "No store is defined to add the certificate %s, it will be added to the default store." ,
2019-03-14 11:30:04 +03:00
conf . Certificate . GetTruncatedCertificateName ( ) )
}
conf . Stores = [ ] string { "default" }
}
for _ , store := range conf . Stores {
2019-09-13 20:28:04 +03:00
ctxStore := log . With ( ctx , log . Str ( log . TLSStoreName , store ) )
2019-04-15 13:32:03 +03:00
if err := conf . Certificate . AppendCertificate ( storesCertificates , store ) ; err != nil {
2019-09-13 20:28:04 +03:00
log . FromContext ( ctxStore ) . Errorf ( "Unable to append certificate %s to store: %v" , conf . Certificate . GetTruncatedCertificateName ( ) , err )
2019-03-14 11:30:04 +03:00
}
}
}
for storeName , certs := range storesCertificates {
2021-06-14 11:06:05 +03:00
st , ok := m . stores [ storeName ]
if ! ok {
st , _ = buildCertificateStore ( context . Background ( ) , Store { } , storeName )
m . stores [ storeName ] = st
}
st . DynamicCerts . Set ( certs )
2019-03-14 11:30:04 +03:00
}
}
2020-05-11 13:06:07 +03:00
// Get gets the TLS configuration to use for a given store / configuration.
2020-07-07 15:42:03 +03:00
func ( m * Manager ) Get ( storeName , configName string ) ( * tls . Config , error ) {
2019-03-14 11:30:04 +03:00
m . lock . RLock ( )
defer m . lock . RUnlock ( )
2019-07-19 12:52:04 +03:00
var tlsConfig * tls . Config
var err error
2021-06-14 11:06:05 +03:00
sniStrict := false
2019-06-17 19:14:08 +03:00
config , ok := m . configs [ configName ]
2021-06-14 11:06:05 +03:00
if ok {
sniStrict = config . SniStrict
tlsConfig , err = buildTLSConfig ( config )
} else {
2019-07-19 12:52:04 +03:00
err = fmt . Errorf ( "unknown TLS options: %s" , configName )
2021-06-14 11:06:05 +03:00
}
if err != nil {
2019-07-19 12:52:04 +03:00
tlsConfig = & tls . Config { }
2019-06-17 19:14:08 +03:00
}
2019-03-14 11:30:04 +03:00
store := m . getStore ( storeName )
2021-06-14 11:06:05 +03:00
if store == nil {
err = fmt . Errorf ( "TLS store %s not found" , storeName )
}
2020-10-29 17:40:04 +03:00
acmeTLSStore := m . getStore ( tlsalpn01 . ACMETLS1Protocol )
2021-06-14 11:06:05 +03:00
if acmeTLSStore == nil {
err = fmt . Errorf ( "ACME TLS store %s not found" , tlsalpn01 . ACMETLS1Protocol )
2019-03-14 11:30:04 +03:00
}
tlsConfig . GetCertificate = func ( clientHello * tls . ClientHelloInfo ) ( * tls . Certificate , error ) {
domainToCheck := types . CanonicalDomain ( clientHello . ServerName )
2020-10-29 17:40:04 +03:00
if isACMETLS ( clientHello ) {
certificate := acmeTLSStore . GetBestCertificate ( clientHello )
if certificate == nil {
return nil , fmt . Errorf ( "no certificate for TLSALPN challenge: %s" , domainToCheck )
2019-03-14 11:30:04 +03:00
}
2020-10-29 17:40:04 +03:00
return certificate , nil
2019-03-14 11:30:04 +03:00
}
bestCertificate := store . GetBestCertificate ( clientHello )
if bestCertificate != nil {
return bestCertificate , nil
}
2021-06-14 11:06:05 +03:00
if sniStrict {
2019-03-14 11:30:04 +03:00
return nil , fmt . Errorf ( "strict SNI enabled - No certificate found for domain: %q, closing connection" , domainToCheck )
}
log . WithoutContext ( ) . Debugf ( "Serving default certificate for request: %q" , domainToCheck )
return store . DefaultCertificate , nil
}
2019-07-19 12:52:04 +03:00
return tlsConfig , err
2019-03-14 11:30:04 +03:00
}
2020-12-18 20:44:03 +03:00
// GetCertificates returns all stored certificates.
func ( m * Manager ) GetCertificates ( ) [ ] * x509 . Certificate {
var certificates [ ] * x509 . Certificate
// We iterate over all the certificates.
for _ , store := range m . stores {
if store . DynamicCerts != nil && store . DynamicCerts . Get ( ) != nil {
for _ , cert := range store . DynamicCerts . Get ( ) . ( map [ string ] * tls . Certificate ) {
x509Cert , err := x509 . ParseCertificate ( cert . Certificate [ 0 ] )
if err != nil {
continue
}
certificates = append ( certificates , x509Cert )
}
}
}
return certificates
}
2021-06-14 11:06:05 +03:00
// getStore returns the store found for storeName, or nil otherwise.
2019-03-14 11:30:04 +03:00
func ( m * Manager ) getStore ( storeName string ) * CertificateStore {
2021-06-14 11:06:05 +03:00
st , ok := m . stores [ storeName ]
2019-03-14 11:30:04 +03:00
if ! ok {
2021-06-14 11:06:05 +03:00
return nil
2019-03-14 11:30:04 +03:00
}
2021-06-14 11:06:05 +03:00
return st
2019-03-14 11:30:04 +03:00
}
2020-05-11 13:06:07 +03:00
// GetStore gets the certificate store of a given name.
2019-03-14 11:30:04 +03:00
func ( m * Manager ) GetStore ( storeName string ) * CertificateStore {
m . lock . RLock ( )
defer m . lock . RUnlock ( )
return m . getStore ( storeName )
}
2021-06-14 11:06:05 +03:00
func buildCertificateStore ( ctx context . Context , tlsStore Store , storename string ) ( * CertificateStore , error ) {
2019-03-14 11:30:04 +03:00
certificateStore := NewCertificateStore ( )
certificateStore . DynamicCerts . Set ( make ( map [ string ] * tls . Certificate ) )
if tlsStore . DefaultCertificate != nil {
cert , err := buildDefaultCertificate ( tlsStore . DefaultCertificate )
if err != nil {
2019-06-21 17:32:04 +03:00
return certificateStore , err
2019-03-14 11:30:04 +03:00
}
certificateStore . DefaultCertificate = cert
2021-06-14 11:06:05 +03:00
return certificateStore , nil
}
// a default cert for the ACME store does not make any sense, so generating one
// is a waste.
if storename == tlsalpn01 . ACMETLS1Protocol {
return certificateStore , nil
}
log . FromContext ( ctx ) . Debug ( "No default certificate, generating one" )
cert , err := generate . DefaultCertificate ( )
if err != nil {
return certificateStore , err
2019-03-14 11:30:04 +03:00
}
2021-06-14 11:06:05 +03:00
certificateStore . DefaultCertificate = cert
2019-03-14 11:30:04 +03:00
return certificateStore , nil
}
2020-05-11 13:06:07 +03:00
// creates a TLS config that allows terminating HTTPS for multiple domains using SNI.
2019-06-28 00:58:03 +03:00
func buildTLSConfig ( tlsOption Options ) ( * tls . Config , error ) {
2019-03-14 11:30:04 +03:00
conf := & tls . Config { }
// ensure http2 enabled
conf . NextProtos = [ ] string { "h2" , "http/1.1" , tlsalpn01 . ACMETLS1Protocol }
2019-07-12 18:50:04 +03:00
if len ( tlsOption . ClientAuth . CAFiles ) > 0 {
2019-03-14 11:30:04 +03:00
pool := x509 . NewCertPool ( )
2019-07-12 18:50:04 +03:00
for _ , caFile := range tlsOption . ClientAuth . CAFiles {
2019-03-14 11:30:04 +03:00
data , err := caFile . Read ( )
if err != nil {
return nil , err
}
ok := pool . AppendCertsFromPEM ( data )
if ! ok {
2019-07-12 18:50:04 +03:00
if caFile . IsPath ( ) {
return nil , fmt . Errorf ( "invalid certificate(s) in %s" , caFile )
}
return nil , errors . New ( "invalid certificate(s) content" )
2019-03-14 11:30:04 +03:00
}
}
conf . ClientCAs = pool
2019-07-12 18:50:04 +03:00
conf . ClientAuth = tls . RequireAndVerifyClientCert
}
clientAuthType := tlsOption . ClientAuth . ClientAuthType
if len ( clientAuthType ) > 0 {
if conf . ClientCAs == nil && ( clientAuthType == "VerifyClientCertIfGiven" ||
clientAuthType == "RequireAndVerifyClientCert" ) {
return nil , fmt . Errorf ( "invalid clientAuthType: %s, CAFiles is required" , clientAuthType )
}
switch clientAuthType {
case "NoClientCert" :
conf . ClientAuth = tls . NoClientCert
case "RequestClientCert" :
conf . ClientAuth = tls . RequestClientCert
case "RequireAnyClientCert" :
conf . ClientAuth = tls . RequireAnyClientCert
case "VerifyClientCertIfGiven" :
2019-03-14 11:30:04 +03:00
conf . ClientAuth = tls . VerifyClientCertIfGiven
2019-07-12 18:50:04 +03:00
case "RequireAndVerifyClientCert" :
2019-03-14 11:30:04 +03:00
conf . ClientAuth = tls . RequireAndVerifyClientCert
2019-07-12 18:50:04 +03:00
default :
return nil , fmt . Errorf ( "unknown client auth type %q" , clientAuthType )
2019-03-14 11:30:04 +03:00
}
}
2020-02-12 20:06:04 +03:00
// Set PreferServerCipherSuites.
conf . PreferServerCipherSuites = tlsOption . PreferServerCipherSuites
2019-11-03 17:54:04 +03:00
// Set the minimum TLS version if set in the config
2019-03-14 11:30:04 +03:00
if minConst , exists := MinVersion [ tlsOption . MinVersion ] ; exists {
conf . PreferServerCipherSuites = true
conf . MinVersion = minConst
}
2019-10-29 14:58:05 +03:00
// Set the maximum TLS version if set in the config TOML
if maxConst , exists := MaxVersion [ tlsOption . MaxVersion ] ; exists {
conf . PreferServerCipherSuites = true
conf . MaxVersion = maxConst
}
2019-11-03 17:54:04 +03:00
// Set the list of CipherSuites if set in the config
2019-03-14 11:30:04 +03:00
if tlsOption . CipherSuites != nil {
// if our list of CipherSuites is defined in the entryPoint config, we can re-initialize the suites list as empty
conf . CipherSuites = make ( [ ] uint16 , 0 )
for _ , cipher := range tlsOption . CipherSuites {
if cipherConst , exists := CipherSuites [ cipher ] ; exists {
conf . CipherSuites = append ( conf . CipherSuites , cipherConst )
} else {
// CipherSuite listed in the toml does not exist in our listed
return nil , fmt . Errorf ( "invalid CipherSuite: %s" , cipher )
}
}
}
2019-11-03 17:54:04 +03:00
// Set the list of CurvePreferences/CurveIDs if set in the config
if tlsOption . CurvePreferences != nil {
conf . CurvePreferences = make ( [ ] tls . CurveID , 0 )
// if our list of CurvePreferences/CurveIDs is defined in the config, we can re-initialize the list as empty
for _ , curve := range tlsOption . CurvePreferences {
if curveID , exists := CurveIDs [ curve ] ; exists {
conf . CurvePreferences = append ( conf . CurvePreferences , curveID )
} else {
// CurveID listed in the toml does not exist in our listed
return nil , fmt . Errorf ( "invalid CurveID in curvePreferences: %s" , curve )
}
}
}
2019-03-14 11:30:04 +03:00
return conf , nil
}
func buildDefaultCertificate ( defaultCertificate * Certificate ) ( * tls . Certificate , error ) {
certFile , err := defaultCertificate . CertFile . Read ( )
if err != nil {
2020-05-11 13:06:07 +03:00
return nil , fmt . Errorf ( "failed to get cert file content: %w" , err )
2019-03-14 11:30:04 +03:00
}
keyFile , err := defaultCertificate . KeyFile . Read ( )
if err != nil {
2020-05-11 13:06:07 +03:00
return nil , fmt . Errorf ( "failed to get key file content: %w" , err )
2019-03-14 11:30:04 +03:00
}
cert , err := tls . X509KeyPair ( certFile , keyFile )
if err != nil {
2020-05-11 13:06:07 +03:00
return nil , fmt . Errorf ( "failed to load X509 key pair: %w" , err )
2019-03-14 11:30:04 +03:00
}
return & cert , nil
}
2020-10-08 14:34:04 +03:00
func isACMETLS ( clientHello * tls . ClientHelloInfo ) bool {
for _ , proto := range clientHello . SupportedProtos {
if proto == tlsalpn01 . ACMETLS1Protocol {
return true
}
}
return false
}