From 003e7ce0d5d20dfb1b218b1f928f7767947aa3fa Mon Sep 17 00:00:00 2001
From: Stanislav Chzhen <s.chzhen@adguard.com>
Date: Mon, 21 Apr 2025 16:05:16 +0300
Subject: [PATCH] Pull request 2393: 7773-fix-unencrypted_doh

Updates #7773.

Squashed commit of the following:

commit d9ca09c1d9b251998107fc87bd6daeb5999ea803
Merge: b67a71a7a a8fdf1c55
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Mon Apr 21 15:56:57 2025 +0300

    Merge branch 'master' into 7773-fix-unencrypted_doh

commit b67a71a7a9686d36cbf64a3f7561886bff7d9c5c
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Fri Apr 18 16:01:49 2025 +0300

    home: imp docs

commit dab9b0582ff1ebc4637d5ec1ea3bc81190ed4066
Author: Stanislav Chzhen <s.chzhen@adguard.com>
Date:   Fri Apr 18 15:09:36 2025 +0300

    home: fix unencrypted doh
---
 internal/home/dns.go | 28 ++++++++++++++++++++++------
 1 file changed, 22 insertions(+), 6 deletions(-)

diff --git a/internal/home/dns.go b/internal/home/dns.go
index cfcd74a4..579efb47 100644
--- a/internal/home/dns.go
+++ b/internal/home/dns.go
@@ -317,13 +317,7 @@ func newDNSTLSConfig(
 		return &dnsforward.TLSConfig{}, nil
 	}
 
-	cert, err := tls.X509KeyPair(conf.CertificateChainData, conf.PrivateKeyData)
-	if err != nil {
-		return nil, fmt.Errorf("parsing tls key pair: %w", err)
-	}
-
 	dnsConf = &dnsforward.TLSConfig{
-		Cert:           &cert,
 		ServerName:     conf.ServerName,
 		StrictSNICheck: conf.StrictSNICheck,
 	}
@@ -340,6 +334,28 @@ func newDNSTLSConfig(
 		dnsConf.QUICListenAddrs = ipsToUDPAddrs(addrs, conf.PortDNSOverQUIC)
 	}
 
+	cert, err := tls.X509KeyPair(conf.CertificateChainData, conf.PrivateKeyData)
+	if err != nil {
+		const format = "parsing tls key pair: %w"
+		if conf.AllowUnencryptedDoH {
+			// TODO(s.chzhen):  Use [slog.Logger].
+			log.Info("warning: %s: %s", format, err)
+
+			return dnsConf, nil
+		}
+
+		return nil, fmt.Errorf(format, err)
+	}
+
+	// Unencrypted DoH is managed by AdGuard Home itself, not by dnsproxy.
+	// Therefore, avoid setting the certificate property to prevent dnsproxy
+	// from starting encrypted listeners.  See [dnsforward.Server.prepareTLS].
+	if conf.AllowUnencryptedDoH {
+		return dnsConf, nil
+	}
+
+	dnsConf.Cert = &cert
+
 	return dnsConf, nil
 }