diff options
| author | Wim <wim@42.be> | 2019-06-16 23:33:25 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-06-16 23:33:25 +0200 |
| commit | cb712ff37d3c20a21695e00c52fff213a6fd40b4 (patch) | |
| tree | 0ba0ee4f55bf6ace2656562465cc82d807e741b9 /vendor/golang.org/x/crypto/acme | |
| parent | f4ae61044888f591830e6c1be9a2bdb14f88943e (diff) | |
| download | matterbridge-msglm-cb712ff37d3c20a21695e00c52fff213a6fd40b4.tar.gz matterbridge-msglm-cb712ff37d3c20a21695e00c52fff213a6fd40b4.tar.bz2 matterbridge-msglm-cb712ff37d3c20a21695e00c52fff213a6fd40b4.zip | |
Update vendor (#852)
Diffstat (limited to 'vendor/golang.org/x/crypto/acme')
| -rw-r--r-- | vendor/golang.org/x/crypto/acme/autocert/autocert.go | 21 |
1 files changed, 19 insertions, 2 deletions
diff --git a/vendor/golang.org/x/crypto/acme/autocert/autocert.go b/vendor/golang.org/x/crypto/acme/autocert/autocert.go index a50d9bfc..e562609c 100644 --- a/vendor/golang.org/x/crypto/acme/autocert/autocert.go +++ b/vendor/golang.org/x/crypto/acme/autocert/autocert.go @@ -32,6 +32,7 @@ import ( "time" "golang.org/x/crypto/acme" + "golang.org/x/net/idna" ) // createCertRetryAfter is how much time to wait before removing a failed state @@ -62,10 +63,16 @@ type HostPolicy func(ctx context.Context, host string) error // HostWhitelist returns a policy where only the specified host names are allowed. // Only exact matches are currently supported. Subdomains, regexp or wildcard // will not match. +// +// Note that all hosts will be converted to Punycode via idna.Lookup.ToASCII so that +// Manager.GetCertificate can handle the Unicode IDN and mixedcase hosts correctly. +// Invalid hosts will be silently ignored. func HostWhitelist(hosts ...string) HostPolicy { whitelist := make(map[string]bool, len(hosts)) for _, h := range hosts { - whitelist[h] = true + if h, err := idna.Lookup.ToASCII(h); err == nil { + whitelist[h] = true + } } return func(_ context.Context, host string) error { if !whitelist[host] { @@ -243,7 +250,17 @@ func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, if !strings.Contains(strings.Trim(name, "."), ".") { return nil, errors.New("acme/autocert: server name component count invalid") } - if strings.ContainsAny(name, `+/\`) { + + // Note that this conversion is necessary because some server names in the handshakes + // started by some clients (such as cURL) are not converted to Punycode, which will + // prevent us from obtaining certificates for them. In addition, we should also treat + // example.com and EXAMPLE.COM as equivalent and return the same certificate for them. + // Fortunately, this conversion also helped us deal with this kind of mixedcase problems. + // + // Due to the "σςΣ" problem (see https://unicode.org/faq/idn.html#22), we can't use + // idna.Punycode.ToASCII (or just idna.ToASCII) here. + name, err := idna.Lookup.ToASCII(name) + if err != nil { return nil, errors.New("acme/autocert: server name contains invalid character") } |