daxi20/AdGuardHome
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Revert "Merge: + DNS: TLS handshake: terminate handshake on bad SNI"

Browse Source 
This reverts commit c8c76ae12b.
This commit is contained in:
Simon Zolin
2019-12-13 17:38:17 +03:00
parent 42790bf083
commit b00a789ca3
2 changed files with 10 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
dnsforward/dnsforward.go
View File

@@ -147,16 +147,14 @@ type FilteringConfig struct {
// TLSConfig is the TLS configuration for HTTPS, DNS-over-HTTPS, and DNS-over-TLS
type TLSConfig struct {
TLSListenAddr *net.TCPAddr `yaml:"-" json:"-"`
ServerName string `yaml:"server_name" json:"server_name,omitempty"` // ServerName is the hostname of your HTTPS/TLS server
CertificateChain string `yaml:"certificate_chain" json:"certificate_chain"` // PEM-encoded certificates chain
PrivateKey string `yaml:"private_key" json:"private_key"` // PEM-encoded private key
CertificatePath string `yaml:"certificate_path" json:"certificate_path"` // certificate file name
PrivateKeyPath string `yaml:"private_key_path" json:"private_key_path"` // private key file name
CertificateChainData []byte `yaml:"-" json:"-"`
PrivateKeyData []byte `yaml:"-" json:"-"`
Cert tls.Certificate `yaml:"-" json:"-"`
CertificateChainData []byte `yaml:"-" json:"-"`
PrivateKeyData []byte `yaml:"-" json:"-"`
}
// ServerConfig represents server configuration.
@@ -296,13 +294,13 @@ func (s *Server) Prepare(config *ServerConfig) error {
if s.conf.TLSListenAddr != nil && len(s.conf.CertificateChainData) != 0 && len(s.conf.PrivateKeyData) != 0 {
proxyConfig.TLSListenAddr = s.conf.TLSListenAddr
s.conf.Cert, err = tls.X509KeyPair(s.conf.CertificateChainData, s.conf.PrivateKeyData)
keypair, err := tls.X509KeyPair(s.conf.CertificateChainData, s.conf.PrivateKeyData)
if err != nil {
return errorx.Decorate(err, "Failed to parse TLS keypair")
}
proxyConfig.TLSConfig = &tls.Config{
GetCertificate: s.onGetCertificate,
MinVersion: tls.VersionTLS12,
Certificates: []tls.Certificate{keypair},
MinVersion: tls.VersionTLS12,
}
}
@@ -320,16 +318,6 @@ func (s *Server) Prepare(config *ServerConfig) error {
return nil
}
// Called by 'tls' package when Client Hello is received
// If the server name (from SNI) supplied by client is incorrect - we terminate the ongoing TLS handshake.
func (s *Server) onGetCertificate(ch *tls.ClientHelloInfo) (*tls.Certificate, error) {
if len(s.conf.ServerName) != 0 && ch.ServerName != s.conf.ServerName {
log.Info("DNS: TLS: unknown SNI in Client Hello: %s", ch.ServerName)
return nil, fmt.Errorf("Invalid SNI")
}
return &s.conf.Cert, nil
}
// Stop stops the DNS server
func (s *Server) Stop() error {
s.Lock()