From d2435cf43b74dd99f2a980114dd58fc73ff19f0d Mon Sep 17 00:00:00 2001
From: Ludovic Fernandez <ldez@users.noreply.github.com>
Date: Thu, 8 Oct 2020 13:34:04 +0200
Subject: [PATCH] fix: restrict protocol for TLS Challenge.

---
 pkg/tls/tlsmanager.go | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/pkg/tls/tlsmanager.go b/pkg/tls/tlsmanager.go
index b1fb572f1..0eb09a113 100644
--- a/pkg/tls/tlsmanager.go
+++ b/pkg/tls/tlsmanager.go
@@ -106,7 +106,7 @@ func (m *Manager) Get(storeName, configName string) (*tls.Config, error) {
 	tlsConfig.GetCertificate = func(clientHello *tls.ClientHelloInfo) (*tls.Certificate, error) {
 		domainToCheck := types.CanonicalDomain(clientHello.ServerName)
 
-		if m.TLSAlpnGetter != nil {
+		if m.TLSAlpnGetter != nil && isACMETLS(clientHello) {
 			cert, err := m.TLSAlpnGetter(domainToCheck)
 			if err != nil {
 				return nil, err
@@ -282,3 +282,13 @@ func buildDefaultCertificate(defaultCertificate *Certificate) (*tls.Certificate,
 	}
 	return &cert, nil
 }
+
+func isACMETLS(clientHello *tls.ClientHelloInfo) bool {
+	for _, proto := range clientHello.SupportedProtos {
+		if proto == tlsalpn01.ACMETLS1Protocol {
+			return true
+		}
+	}
+
+	return false
+}