From db6a5762cf023022f71e20e46229ea5de7304013 Mon Sep 17 00:00:00 2001 From: Matthew Holt Date: Mon, 13 Nov 2023 22:25:23 -0700 Subject: [PATCH] Add decoded ClientHello to DecisionFunc context --- handshake.go | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/handshake.go b/handshake.go index d430426f..1a52befd 100644 --- a/handshake.go +++ b/handshake.go @@ -58,6 +58,8 @@ func (cfg *Config) GetCertificateWithContext(ctx context.Context, clientHello *t return nil, fmt.Errorf("handshake aborted by event handler: %w", err) } + ctx = context.WithValue(ctx, ClientHelloInfoCtxKey, clientHello) + // special case: serve up the certificate for a TLS-ALPN ACME challenge // (https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05) for _, proto := range clientHello.SupportedProtos { @@ -875,3 +877,13 @@ var ( certLoadWaitChans = make(map[string]chan struct{}) certLoadWaitChansMu sync.Mutex ) + +type helloInfoCtxKey string + +// ClientHelloInfoCtxKey is the key by which the ClientHelloInfo can be extracted from +// a context.Context within a DecisionFunc. However, be advised that it is best practice +// that the decision whether to obtain a certificate is be based solely on the name, +// not other properties of the specific connection/client requesting the connection. +// Fpr example, it is not adviseable to use a client's IP address to decide whether to +// allow a certificate. Instead, the ClientHello can be useful for logging, etc. +const ClientHelloInfoCtxKey helloInfoCtxKey = "certmagic:ClientHelloInfo"