Oops, good point. The new ciphers were originally omitted from the map intentionally because they can't be configured.

Would totally accept a pull request that adds those to the map, if it has a test that shows that setting up the TLS directive doesn't break if those ciphers are specified.

Similar to #2485

Commit golang/go@0ee22d9 should be included in the upcoming Go 1.14 release. Can that replace some of Caddy's existing code? Would Caddy's API need to change for v2.0 to prepare for these pending changes in Go 1.14? If so, is it too late for that?

@moorereason It's not too late; if Go 1.14 is released on time, it should be before our release candidates. We should try to get this into v2.

I'd like to work on this if help is still needed.

@ali-alsabbah That would be greatly appreciated!

@mholt just curious, do I just need to add the ciphers mentioned by @vcsjones to the map SupportedCiphersMap?

(apologies in advance, I'm fairly new to Go and this project)

@ali-alsabbah further up in this issue's history, you should see a closed pull request where I attempted to fix it.

There is a little more to it than adding it to the map - last I looked, Caddy used the same map to parse caddy's config - and TLS 1.3 suites are not configurable in Go. The linked pull request noted that. I think the pull request was fairly close - I just struggled to find the time to finish it out.

If you want to take what I did in the pull request, please do.

Also, I should mention that this should be branched from the v2 branch, see here (and see the highlighted comment):

Note that there are some divergences in the naming... would need to see if it is still worth using.

@mholt,
I was going to add this to v2 a few days ago, but I've been unable to replicate the original issue in v2 since the log format doesn't seem to be customizable from the config. Additionally, the tls_* fields don't appear to be in the caddyhttp replacer.

This is the first time I've looked at v2, so maybe I'm missing something. Any pointers?

@moorereason Good point, I haven't yet exposed TLS-related placeholders in v2. In v2, we use structured logging, so the only customization would be filtering/removal of fields, rather than crafting a template.

Alright, I’ll work on this over the next couple of weeks.

@mholt said:

In v2, we use structured logging, so the only customization would be filtering/removal of fields,

How does this work? I have http.log.access log working (using this), but I'm not sure how to customize the structured access logging.

@ali-alsabbah,
I've submitted #2982 that should (eventually) fix this issue.

@moorereason Great question. What happens is that log entries are emitted with structure, i.e. a mapping of field to value. What fields any particular log emits is arbitrary depending on what the developer writes.

The encoder is what determines how to write the output (i.e. JSON, console, etc.). We have a special encoder called a filter encoder which has access to the individual fields, so it can change or remove them before passing them to a wrapped/underlying encoder that does the actual encoding work.

To add TLS data to log emissions, it should be as simple as just adding the relevant fields to a log like this one:

@mholt,
Thanks for the explanation. I understand the structured logging aspect, but how does a Caddy2 user (as opposed to a developer) customize the the access logs from the config, similar to how Caddy1 allows you to customize the format with log path file [format]?

@moorereason does this mean no work is needed from me here?

@mholt if that’s the case, do you have any other issues you need help with that are good for newcomers to Caddy?

@ali-alsabbah: Correct.