I tried using caddy-net by @pieterlouw as TLS proxy for my personal mail server to handle SMTP/IMAP via TLS but couldn’t get it working, so I tried getting a minimal setup working first but even failed there.
I followed the blogpost which is also referenced in caddy-net
's README:
proxy :2000 127.0.0.1:1338 {
host host.mydomain.tld
tls self_signed
}
I also started the minimal tcpserver
example which works just as expected when “talking” to it locally via telnet localhost 1338
or using tls off
and telnet host.mydomain.tld 2000
.
It seems setting tls self_signed
or tls my@mailaddress
has no effect at all, as openssl s_client -connect localhost:2000
shows that the raw TLS packets are simply passed through to the tcpserver
backend which then expectedly gets confused:
Client:
$ openssl s_client -connect localhost:2000
CONNECTED(00000003)
140026879686360:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:797:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1506590473
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Server:
$ tcpserver 127.0.0.1 1338 ${PWD}/server.py
Traceback (most recent call last):
File "/home/elias/tmp/caddy-net/server.py", line 4, in <module>
user = input("> ")
File "/usr/lib/python-exec/python3.4/../../../lib64/python3.4/codecs.py", line 319, in decode
(result, consumed) = self._buffer_decode(data, self.errors, final)
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xe3 in position 11: invalid continuation byte
What’s weird about Caddy’s startup is its claim there’d be already a certificate loaded, which it definitely isn’t.:
$ CADDYPATH=${PWD} ./caddy -log=stdout -agree=true -root=${PWD} -type=net -conf=Caddyfile
2017/09/28 11:33:48 [NOTICE] There is already a certificate loaded for , so certificate for [ ] will not service that name
2017/09/28 11:33:48 [NOTICE] There is already a certificate loaded for , so certificate for [] will not service that name
2017/09/28 11:33:48 [NOTICE] There is already a certificate loaded for , so certificate for [] will not service that name
Activating privacy features... done.
[INFO] Proxying from :2000 -> 127.0.0.1:1338
Could it be that this is caused by the changes introduced in #1821 and how caddy-net handles TLS? Does it need to be adapted to chose changes?
Used versions:
- Caddy 0.10.9
-
net
server type plugin 0.1.1