Pull request 2393: 7773-fix-unencrypted_doh

Updates #7773. Squashed commit of the following: commit d9ca09c1d9b251998107fc87bd6daeb5999ea803 Merge: b67a71a7a a8fdf1c55 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Mon Apr 21 15:56:57 2025 +0300 Merge branch 'master' into 7773-fix-unencrypted_doh commit b67a71a7a9686d36cbf64a3f7561886bff7d9c5c Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Fri Apr 18 16:01:49 2025 +0300 home: imp docs commit dab9b0582ff1ebc4637d5ec1ea3bc81190ed4066 Author: Stanislav Chzhen <s.chzhen@adguard.com> Date: Fri Apr 18 15:09:36 2025 +0300 home: fix unencrypted doh
2025-04-21 16:05:16 +03:00
parent a8fdf1c553
commit 003e7ce0d5
1 changed files with 22 additions and 6 deletions
--- a/internal/home/dns.go
+++ b/internal/home/dns.go
@@ -317,13 +317,7 @@ func newDNSTLSConfig(
 		return &dnsforward.TLSConfig{}, nil
 	}
 	cert, err := tls.X509KeyPair(conf.CertificateChainData, conf.PrivateKeyData)
 	if err != nil {
 		return nil, fmt.Errorf("parsing tls key pair: %w", err)
 	}
 	dnsConf = &dnsforward.TLSConfig{
 		Cert:           &cert,
 		ServerName:     conf.ServerName,
 		StrictSNICheck: conf.StrictSNICheck,
 	}
@@ -340,6 +334,28 @@ func newDNSTLSConfig(
 		dnsConf.QUICListenAddrs = ipsToUDPAddrs(addrs, conf.PortDNSOverQUIC)
 	}
 	cert, err := tls.X509KeyPair(conf.CertificateChainData, conf.PrivateKeyData)
 	if err != nil {
 		const format = "parsing tls key pair: %w"
 		if conf.AllowUnencryptedDoH {
 			// TODO(s.chzhen):  Use [slog.Logger].
 			log.Info("warning: %s: %s", format, err)
 			return dnsConf, nil
 		}
 		return nil, fmt.Errorf(format, err)
 	}
 	// Unencrypted DoH is managed by AdGuard Home itself, not by dnsproxy.
 	// Therefore, avoid setting the certificate property to prevent dnsproxy
 	// from starting encrypted listeners.  See [dnsforward.Server.prepareTLS].
 	if conf.AllowUnencryptedDoH {
 		return dnsConf, nil
 	}
 	dnsConf.Cert = &cert
 	return dnsConf, nil
 }