Pull request 2393: 7773-fix-unencrypted_doh

Updates #7773. Squashed commit of the following: commit d9ca09c1d9b251998107fc87bd6daeb5999ea803 Merge: b67a71a7a a8fdf1c55 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Mon Apr 21 15:56:57 2025 +0300 Merge branch 'master' into 7773-fix-unencrypted_doh commit b67a71a7a9686d36cbf64a3f7561886bff7d9c5c Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Fri Apr 18 16:01:49 2025 +0300 home: imp docs commit dab9b0582ff1ebc4637d5ec1ea3bc81190ed4066 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Fri Apr 18 15:09:36 2025 +0300 home: fix unencrypted doh
2025-04-21 16:05:16 +03:00
parent a8fdf1c553
commit 003e7ce0d5
1 changed files with 22 additions and 6 deletions
--- a/internal/home/dns.go
+++ b/internal/home/dns.go
@@ -317,13 +317,7 @@ func newDNSTLSConfig(
 		return &dnsforward.TLSConfig{}, nil
 	}

-	cert, err := tls.X509KeyPair(conf.CertificateChainData, conf.PrivateKeyData)
-	if err != nil {
-		return nil, fmt.Errorf("parsing tls key pair: %w", err)
-	}
-
 	dnsConf = &dnsforward.TLSConfig{
-		Cert:           &cert,
 		ServerName:     conf.ServerName,
 		StrictSNICheck: conf.StrictSNICheck,
 	}
@@ -340,6 +334,28 @@ func newDNSTLSConfig(
 		dnsConf.QUICListenAddrs = ipsToUDPAddrs(addrs, conf.PortDNSOverQUIC)
 	}

+	cert, err := tls.X509KeyPair(conf.CertificateChainData, conf.PrivateKeyData)
+	if err != nil {
+		const format = "parsing tls key pair: %w"
+		if conf.AllowUnencryptedDoH {
+			// TODO(s.chzhen):  Use [slog.Logger].
+			log.Info("warning: %s: %s", format, err)
+
+			return dnsConf, nil
+		}
+
+		return nil, fmt.Errorf(format, err)
+	}
+
+	// Unencrypted DoH is managed by AdGuard Home itself, not by dnsproxy.
+	// Therefore, avoid setting the certificate property to prevent dnsproxy
+	// from starting encrypted listeners.  See [dnsforward.Server.prepareTLS].
+	if conf.AllowUnencryptedDoH {
+		return dnsConf, nil
+	}
+
+	dnsConf.Cert = &cert
+
 	return dnsConf, nil
 }