Skip to content

fix: trusted_leaf_cert_file now works correctly#7601

Open
xingzihai wants to merge 1 commit intocaddyserver:masterfrom
xingzihai:fix/issue-4518-trusted-leaf-cert-verification
Open

fix: trusted_leaf_cert_file now works correctly#7601
xingzihai wants to merge 1 commit intocaddyserver:masterfrom
xingzihai:fix/issue-4518-trusted-leaf-cert-verification

Conversation

@xingzihai
Copy link
Copy Markdown

@xingzihai xingzihai commented Mar 29, 2026

Summary

Fixes #4518: trusted_leaf_cert_file now works correctly as documented.

Root Cause

The issue had two root causes:

  1. In verifyConnection(), verifiers were called with nil as rawCerts instead of the actual peer certificates. This caused LeafCertClientAuth.VerifyClientCertificate to fail immediately with "no client certificate provided".

  2. When only TrustedLeafCerts were specified (no CA certs), the default mode was set to RequireAndVerifyClientCert, which requires CA verification. Since no CA certs were provided, CA verification would fail before VerifyConnection was called.

Changes

  • Pass cs.PeerCertificatesRaw to verifiers in verifyConnection()
  • Only default to RequireAndVerifyClientCert when CA certs are actually provided, not when only TrustedLeafCerts are specified

Files Changed

  • modules/caddytls/connpolicy.go: Fixed the two issues above

Closes #4518

@xingzihai
fix: trusted_leaf_cert_file now works correctly
04fa13f 
Issue caddyserver#4518 reported that trusted_leaf_cert_file does not behave as
documented. The root cause was twofold:

1. In verifyConnection(), verifiers were called with nil as rawCerts
   instead of the actual peer certificates. This caused
   LeafCertClientAuth.VerifyClientCertificate to fail immediately
   with "no client certificate provided" because rawCerts was nil.

2. When only TrustedLeafCerts were specified (no CA certs), the
   default mode was set to RequireAndVerifyClientCert, which
   requires CA verification. Since no CA certs were provided,
   CA verification would fail and the handshake would abort
   before VerifyConnection (which does leaf verification) was
   ever called.

Fixes:
- Pass cs.PeerCertificatesRaw to verifiers in verifyConnection()
- Only default to RequireAndVerifyClientCert when CA certs are
  actually provided, not when only TrustedLeafCerts are specified

Fixes caddyserver#4518
@CLAassistant
Copy link
Copy Markdown

CLAassistant commented Mar 29, 2026

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@francislavoie
Copy link
Copy Markdown
Member

francislavoie commented Mar 29, 2026

Missing the AI disclosure section (part of the PR template), and CLA needs to be signed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mohammed90 mohammed90 Awaiting requested review from mohammed90

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

trusted_leaf_cert_file does not work as documented

3 participants

@xingzihai @CLAassistant @francislavoie