Stowage/caddy
2
0
Fork 0
mirror of https://github.com/caddyserver/caddy.git synced 2025-12-08 06:09:53 +00:00
Code Issues Projects Releases Packages Wiki Activity

caddytls: ECH key rotation

Browse source
This commit is contained in:
Matthew Holt 2025-11-19 20:49:13 -07:00
parent 4bfc3b95b5
commit 57d6671ac6
No known key found for this signature in database
GPG key ID: 2A349DD577D586A5
3 changed files with 219 additions and 69 deletions
Download patch file Download diff file Expand all files Collapse all files

22
modules/caddytls/tls.go
View file

@ -335,7 +335,6 @@ func (t *TLS) Provision(ctx caddy.Context) error {
// ECH (Encrypted ClientHello) initialization
if t.EncryptedClientHello != nil {
t.EncryptedClientHello.configs = make(map[string][]echConfig)
outerNames, err := t.EncryptedClientHello.Provision(ctx)
if err != nil {
return fmt.Errorf("provisioning Encrypted ClientHello components: %v", err)
@ -411,12 +410,27 @@ func (t *TLS) Start() error {
return fmt.Errorf("automate: managing %v: %v", t.automateNames, err)
}
// publish ECH configs in the background; does not need to block
// server startup, as it could take a while
if t.EncryptedClientHello != nil {
echLogger := t.logger.Named("ech")
// publish ECH configs in the background; does not need to block
// server startup, as it could take a while
go func() {
if err := t.publishECHConfigs(); err != nil {
t.logger.Named("ech").Error("publication(s) failed", zap.Error(err))
echLogger.Error("publication(s) failed", zap.Error(err))
}
}()
// keep ECH keys rotated
go func() {
for range time.Tick(1 * time.Hour) {
// ensure old keys are rotated out
t.EncryptedClientHello.configsMu.Lock()
err = t.EncryptedClientHello.rotateECHKeys(t.ctx, echLogger, false)
t.EncryptedClientHello.configsMu.Unlock()
if err != nil {
echLogger.Error("rotating ECH configs failed", zap.Error(err))
}
}
}()
}