- (dnsforward): fixed running only quic, added a test
QUIC was not initialized if DOT port is not set. Also, there were no tests on DoQ functionality.
This commit is contained in:
Andrey Meshkov
@@ -154,10 +154,6 @@ func (s *Server) createProxyConfig() (proxy.Config, error) {
|
||||
MaxGoroutines: int(s.conf.MaxGoroutines),
|
||||
}
|
||||
|
||||
if s.conf.QUICListenAddr != nil {
|
||||
proxyConfig.QUICListenAddr = []*net.UDPAddr{s.conf.QUICListenAddr}
|
||||
}
|
||||
|
||||
if s.conf.CacheSize != 0 {
|
||||
proxyConfig.CacheEnabled = true
|
||||
proxyConfig.CacheSizeBytes = int(s.conf.CacheSize)
|
||||
@@ -240,34 +236,49 @@ func (s *Server) prepareIntlProxy() {
|
||||
|
||||
// prepareTLS - prepares TLS configuration for the DNS proxy
|
||||
func (s *Server) prepareTLS(proxyConfig *proxy.Config) error {
|
||||
if s.conf.TLSListenAddr != nil && len(s.conf.CertificateChainData) != 0 && len(s.conf.PrivateKeyData) != 0 {
|
||||
if len(s.conf.CertificateChainData) == 0 || len(s.conf.PrivateKeyData) == 0 {
|
||||
return nil
|
||||
}
|
||||
|
||||
if s.conf.TLSListenAddr == nil &&
|
||||
s.conf.QUICListenAddr == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
if s.conf.TLSListenAddr != nil {
|
||||
proxyConfig.TLSListenAddr = []*net.TCPAddr{s.conf.TLSListenAddr}
|
||||
var err error
|
||||
s.conf.cert, err = tls.X509KeyPair(s.conf.CertificateChainData, s.conf.PrivateKeyData)
|
||||
}
|
||||
|
||||
if s.conf.QUICListenAddr != nil {
|
||||
proxyConfig.QUICListenAddr = []*net.UDPAddr{s.conf.QUICListenAddr}
|
||||
}
|
||||
|
||||
var err error
|
||||
s.conf.cert, err = tls.X509KeyPair(s.conf.CertificateChainData, s.conf.PrivateKeyData)
|
||||
if err != nil {
|
||||
return errorx.Decorate(err, "Failed to parse TLS keypair")
|
||||
}
|
||||
|
||||
if s.conf.StrictSNICheck {
|
||||
x, err := x509.ParseCertificate(s.conf.cert.Certificate[0])
|
||||
if err != nil {
|
||||
return errorx.Decorate(err, "Failed to parse TLS keypair")
|
||||
return errorx.Decorate(err, "x509.ParseCertificate(): %s", err)
|
||||
}
|
||||
|
||||
if s.conf.StrictSNICheck {
|
||||
x, err := x509.ParseCertificate(s.conf.cert.Certificate[0])
|
||||
if err != nil {
|
||||
return errorx.Decorate(err, "x509.ParseCertificate(): %s", err)
|
||||
}
|
||||
if len(x.DNSNames) != 0 {
|
||||
s.conf.dnsNames = x.DNSNames
|
||||
log.Debug("DNS: using DNS names from certificate's SAN: %v", x.DNSNames)
|
||||
sort.Strings(s.conf.dnsNames)
|
||||
} else {
|
||||
s.conf.dnsNames = append(s.conf.dnsNames, x.Subject.CommonName)
|
||||
log.Debug("DNS: using DNS name from certificate's CN: %s", x.Subject.CommonName)
|
||||
}
|
||||
}
|
||||
|
||||
proxyConfig.TLSConfig = &tls.Config{
|
||||
GetCertificate: s.onGetCertificate,
|
||||
MinVersion: tls.VersionTLS12,
|
||||
if len(x.DNSNames) != 0 {
|
||||
s.conf.dnsNames = x.DNSNames
|
||||
log.Debug("DNS: using DNS names from certificate's SAN: %v", x.DNSNames)
|
||||
sort.Strings(s.conf.dnsNames)
|
||||
} else {
|
||||
s.conf.dnsNames = append(s.conf.dnsNames, x.Subject.CommonName)
|
||||
log.Debug("DNS: using DNS name from certificate's CN: %s", x.Subject.CommonName)
|
||||
}
|
||||
}
|
||||
|
||||
proxyConfig.TLSConfig = &tls.Config{
|
||||
GetCertificate: s.onGetCertificate,
|
||||
MinVersion: tls.VersionTLS12,
|
||||
}
|
||||
|
||||
upstream.RootCAs = s.conf.TLSv12Roots
|
||||
upstream.CipherSuites = s.conf.TLSCiphers
|
||||
return nil
|
||||
|
||||
@@ -8,6 +8,7 @@ import (
|
||||
"crypto/x509"
|
||||
"crypto/x509/pkix"
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
"math/big"
|
||||
"net"
|
||||
"sort"
|
||||
@@ -128,6 +129,41 @@ func TestDotServer(t *testing.T) {
|
||||
}
|
||||
}
|
||||
|
||||
func TestDoqServer(t *testing.T) {
|
||||
// Prepare the proxy server
|
||||
_, certPem, keyPem := createServerTLSConfig(t)
|
||||
s := createTestServer(t)
|
||||
|
||||
s.conf.TLSConfig = TLSConfig{
|
||||
QUICListenAddr: &net.UDPAddr{Port: 0},
|
||||
CertificateChainData: certPem,
|
||||
PrivateKeyData: keyPem,
|
||||
}
|
||||
|
||||
_ = s.Prepare(nil)
|
||||
// Starting the server
|
||||
err := s.Start()
|
||||
assert.Nil(t, err)
|
||||
|
||||
// Create a DNS-over-QUIC upstream
|
||||
addr := s.dnsProxy.Addr(proxy.ProtoQUIC)
|
||||
opts := upstream.Options{InsecureSkipVerify: true}
|
||||
u, err := upstream.AddressToUpstream(fmt.Sprintf("quic://%s", addr), opts)
|
||||
assert.Nil(t, err)
|
||||
|
||||
// Send the test message
|
||||
req := createGoogleATestMessage()
|
||||
res, err := u.Exchange(req)
|
||||
assert.Nil(t, err)
|
||||
assertGoogleAResponse(t, res)
|
||||
|
||||
// Stop the proxy
|
||||
err = s.Stop()
|
||||
if err != nil {
|
||||
t.Fatalf("DNS server failed to stop: %s", err)
|
||||
}
|
||||
}
|
||||
|
||||
func TestServerRace(t *testing.T) {
|
||||
s := createTestServer(t)
|
||||
err := s.Start()
|
||||
|
||||
Reference in New Issue
Block a user