Merge branch 'master' into 4927-refactor-tls

CHANGELOG.md

@@ -12,42 +12,26 @@ and this project adheres to
 ## [Unreleased]
 
 <!--
-## [v0.108.0] - TBA
+## [v0.108.0] - TBA (APPROX.)
 -->
 
 
 
 <!--
-## [v0.107.20] - 2022-12-07 (APPROX.)
-
-See also the [v0.107.20 GitHub milestone][ms-v0.107.20].
-
-[ms-v0.107.20]: https://github.com/AdguardTeam/AdGuardHome/milestone/56?closed=1
--->
-
-
-
-## [v0.107.19] - 2022-11-23
+## [v0.107.19] - 2022-11-23 (APPROX.)
 
 See also the [v0.107.19 GitHub milestone][ms-v0.107.19].
 
+[ms-v0.107.19]: https://github.com/AdguardTeam/AdGuardHome/milestone/55?closed=1
+-->
+
 ### Added
 
-- The ability to block popular Mastodon instances
-  ([AdguardTeam/HostlistsRegistry#100]).
 - The new `--update` command-line option, which allows updating AdGuard Home
   silently ([#4223]).
 
-### Changed
-
-- Minor UI changes.
-
 [#4223]: https://github.com/AdguardTeam/AdGuardHome/issues/4223
 
-[ms-v0.107.19]: https://github.com/AdguardTeam/AdGuardHome/milestone/55?closed=1
-
-[AdguardTeam/HostlistsRegistry#100]: https://github.com/AdguardTeam/HostlistsRegistry/pull/100
-
 
 
 ## [v0.107.18] - 2022-11-08
@@ -1443,12 +1427,11 @@ See also the [v0.104.2 GitHub milestone][ms-v0.104.2].
 
 
 <!--
-[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.20...HEAD
-[v0.107.20]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.19...v0.107.20
--->
-
 [Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.19...HEAD
 [v0.107.19]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.18...v0.107.19
+-->
+
+[Unreleased]: https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.18...HEAD
 [v0.107.18]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.17...v0.107.18
 [v0.107.17]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.16...v0.107.17
 [v0.107.16]:  https://github.com/AdguardTeam/AdGuardHome/compare/v0.107.15...v0.107.16

client/src/__locales/ar.json

@@ -392,7 +392,6 @@
     "encryption_issuer": "المصدر",
     "encryption_hostnames": "اسم المستضيف",
     "encryption_reset": "هل أنت متأكد أنك تريد إعادة تعيين إعدادات التشفير؟",
-    "encryption_warning": "تحذير",
     "topline_expiring_certificate": "شهادة SSL الخاصة بك على وشك الانتهاء. قم بتحديث <0>إعدادات التشفير</0>.",
     "topline_expired_certificate": "انتهت صلاحية شهادة SSL الخاصة بك. قم بتحديث <0>إعدادات التشفير</0>.",
     "form_error_port_range": "أدخل رقم المنفذ في النطاق 80-65535",

client/src/__locales/be.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Выдавец",
     "encryption_hostnames": "Імёны хастоў",
     "encryption_reset": "Вы ўпэўнены, што хочаце скінуць налады шыфравання?",
-    "encryption_warning": "Увага",
     "topline_expiring_certificate": "Ваш SSL-сертыфікат хутка мінае. Абновіце <0>Налады шыфравання</0>.",
     "topline_expired_certificate": "Ваш SSL-сертыфікат мінуў. Абновіце <0>Налады шыфравання</0>.",
     "form_error_port_range": "Увядзіце нумар порта з інтэрвалу 80-65535",

client/src/__locales/bg.json

@@ -244,7 +244,6 @@
     "encryption_issuer": "Изпълнител",
     "encryption_hostnames": "Имена на хоста",
     "encryption_reset": "Сигурни ли сте че искате да изтриете настройките за криптиране?",
-    "encryption_warning": "Внимание",
     "topline_expiring_certificate": "Вашият SSL сертификат изтича. Обнови <0>Настройки за криптиране</0>.",
     "topline_expired_certificate": "Вашият SSL сертификат е изтекъл. Обнови <0>Настройки за криптиране</0>.",
     "form_error_port_range": "Въведете порт в диапазона 80-65535",

client/src/__locales/cs.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Vydavatel",
     "encryption_hostnames": "Názvy hostitelů",
     "encryption_reset": "Opravdu chcete obnovit nastavení šifrování?",
-    "encryption_warning": "Varování",
     "topline_expiring_certificate": "Váš SSL certifikát brzy vyprší. Aktualizujte <0>Nastavení šifrování</0>.",
     "topline_expired_certificate": "Váš SSL certifikát vypršel. Aktualizujte <0>Nastavení šifrování</0>.",
     "form_error_port_range": "Zadejte číslo portu v rozmezí 80-65535",

client/src/__locales/da.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Udsteder",
     "encryption_hostnames": "Værtsnavne",
     "encryption_reset": "Sikker på, at du vil nulstille krypteringsindstillingerne?",
-    "encryption_warning": "Advarsel",
     "topline_expiring_certificate": "Dit SSL-certifikat er ved at udløbe. Opdatér <0>Krypteringsindstillinger</0>.",
     "topline_expired_certificate": "Dit SSL-certifikat er udløbet. Opdatér <0>Krypteringsindstillinger</0>.",
     "form_error_port_range": "Angiv portnummer i intervallet 80-65535",

client/src/__locales/de.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Ausgestellt von",
     "encryption_hostnames": "Hostnamen",
     "encryption_reset": "Möchten Sie die Verschlüsselungseinstellungen wirklich zurücksetzen?",
-    "encryption_warning": "Warnhinweis",
     "topline_expiring_certificate": "Ihr SSL-Zertifikat läuft demnächst ab. Aktualisieren Sie Ihre <0>Verschlüsselungseinstellungen</0>.",
     "topline_expired_certificate": "Ihr SSL-Zertifikat ist abgelaufen. Aktualisieren Sie Ihre <0>Verschlüsselungseinstellungen</0>.",
     "form_error_port_range": "Geben Sie die Portnummer zwischen 80 und 65535 ein",

client/src/__locales/es.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Emisor",
     "encryption_hostnames": "Nombres de hosts",
     "encryption_reset": "¿Estás seguro de que deseas restablecer la configuración de cifrado?",
-    "encryption_warning": "Advertencia",
     "topline_expiring_certificate": "Tu certificado SSL está a punto de expirar. Actualiza la <0>configuración de cifrado</0>.",
     "topline_expired_certificate": "Tu certificado SSL ha expirado. Actualiza la <0>configuración de cifrado</0>.",
     "form_error_port_range": "Ingresa el número del puerto en el rango de 80 a 65535",

client/src/__locales/fa.json

@@ -361,7 +361,6 @@
     "encryption_issuer": "صادر کننده",
     "encryption_hostnames": "نام میزبان",
     "encryption_reset": "آیا میخواهید تنظیمات رمزگُذاری به پیش فرض بازگردد؟",
-    "encryption_warning": "هشدار",
     "topline_expiring_certificate": "گواهینامه اِس اِس اِل شما در صدد انقضاء است.  <0>تنظیمات رمزگُذاری</0> را بروز رسانی کنید.",
     "topline_expired_certificate": "گواهینامه اِس اِس اِل شما منقضی شده است. <0>تنظیمات رمزگُذاری</0> را بروز رسانی کنید.",
     "form_error_port_range": "مقدار پورت را در محدوده 80-65535 وارد کنید",

client/src/__locales/fi.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Toimittaja",
     "encryption_hostnames": "Isäntänimet",
     "encryption_reset": "Haluatko varmasti palauttaa salausasetukset?",
-    "encryption_warning": "Varoitus",
     "topline_expiring_certificate": "SSL-varmenteesi on erääntymässä. Päivitä <0>Salausasetukset</0>.",
     "topline_expired_certificate": "SSL-varmenteesi on erääntynyt. Päivitä <0>Salausasetukset</0>.",
     "form_error_port_range": "Syötä portti väliltä 80-65535",
@@ -543,8 +542,8 @@
     "descr": "Kuvaus",
     "whois": "WHOIS",
     "filtering_rules_learn_more": "<0>Lue lisää</0> omien hosts-listojesi luonnista.",
-    "blocked_by_response": "Estetty vastauksen CNAME:n tai IP:n perusteella",
-    "blocked_by_cname_or_ip": "Estetty CNAME:n tai IP:n perusteella",
+    "blocked_by_response": "Vastauksen sisältämän CNAME:n tai IP:n estämä",
+    "blocked_by_cname_or_ip": "CNAME:n tai IP:n estämä",
     "try_again": "Yritä uudelleen",
     "domain_desc": "Syötä korvattava verkkotunnus tai jokerimerkki.",
     "example_rewrite_domain": "korvaa vain tämän verkkotunnuksen vastaukset",

client/src/__locales/fr.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Émetteur",
     "encryption_hostnames": "Noms d'hôte",
     "encryption_reset": "Voulez-vous vraiment réinitialiser les paramètres de chiffrement ?",
-    "encryption_warning": "Attention",
     "topline_expiring_certificate": "Votre certificat SSL est sur le point d'expirer. Mettez à jour vos <0>Paramètres de chiffrement</0>.",
     "topline_expired_certificate": "Votre certificat SSL a expiré. Mettez à jour vos <0>Paramètres de chiffrement</0>.",
     "form_error_port_range": "Saisissez une valeur de port entre 80 et 65535",

client/src/__locales/hr.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Izdavač",
     "encryption_hostnames": "Nazivi računala",
     "encryption_reset": "Jeste li sigurni da želite poništiti postavke šifriranja?",
-    "encryption_warning": "Upozorenje",
     "topline_expiring_certificate": "Vaš SSL certifikat uskoro ističe. Ažurirajte <0>Postavke šifriranja</0>.",
     "topline_expired_certificate": "Vaš SSL certifikat je istekao. Ažurirajte <0>Postavke šifriranja</0>.",
     "form_error_port_range": "Unesite broj porta od 80 do 65536",

client/src/__locales/hu.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Kibocsátó",
     "encryption_hostnames": "Hosztnevek",
     "encryption_reset": "Biztosan visszaállítja a titkosítási beállításokat?",
-    "encryption_warning": "Figyelmeztetés",
     "topline_expiring_certificate": "Az SSL-tanúsítványa hamarosan lejár. Frissítse a <0>Titkosítási beállításokat</0>.",
     "topline_expired_certificate": "Az SSL-tanúsítványa lejárt. Frissítse a <0>Titkosítási beállításokat</0>.",
     "form_error_port_range": "Adjon meg egy portszámot a 80-65535 tartományon belül",

client/src/__locales/id.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Penerbit",
     "encryption_hostnames": "Nama host",
     "encryption_reset": "Anda yakin ingin mengatur ulang pengaturan enkripsi?",
-    "encryption_warning": "Perhatian",
     "topline_expiring_certificate": "Sertifikat SSL Anda hampir kedaluwarsa. Perbarui <0>Pengaturan enkripsi</0>.",
     "topline_expired_certificate": "Sertifikat SSL Anda kedaluwarsa. Perbarui <0>Pengaturan enkripsi</0>.",
     "form_error_port_range": "Masukkan nomor port di kisaran 80-65535",

client/src/__locales/it.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Emittente",
     "encryption_hostnames": "Nomi host",
     "encryption_reset": "Sei sicuro di voler ripristinare le impostazioni di crittografia?",
-    "encryption_warning": "Attenzione",
     "topline_expiring_certificate": "Il tuo certificato SSL sta per scadere. Aggiorna le<0> Impostazioni di crittografia </ 0>.",
     "topline_expired_certificate": "Il tuo certificato SSL è scaduto. Aggiorna le <0> Impostazioni di crittografia </ 0>.",
     "form_error_port_range": "Immettere il valore della porta nell'intervallo 80-65535",

client/src/__locales/ja.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "発行者",
     "encryption_hostnames": "ホスト名",
     "encryption_reset": "暗号化設定をリセットして良いですか？",
-    "encryption_warning": "警告",
     "topline_expiring_certificate": "SSL証明書は期限切れになります。<0>暗号化設定</0>を更新します。",
     "topline_expired_certificate": "SSL証明書は期限切れです。<0>暗号化設定</0>を更新します。",
     "form_error_port_range": "80〜65535 の範囲内でポート番号を入力してください",

client/src/__locales/ko.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "발행자",
     "encryption_hostnames": "호스트 이름",
     "encryption_reset": "암호화 설정을 재설정하시겠습니까?",
-    "encryption_warning": "경고",
     "topline_expiring_certificate": "SSL 인증서가 곧 만료됩니다. 업데이트<0> 암호화 설정</0>.",
     "topline_expired_certificate": "SSL 인증서가 만료되었습니다. 업데이트<0> 암호화 설정</0>.",
     "form_error_port_range": "80-65535 범위의 포트 번호를 입력하세요",

client/src/__locales/nl.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Uitgever",
     "encryption_hostnames": "Hostnamen",
     "encryption_reset": "Ben je zeker dat je de encryptie instellingen wil resetten?",
-    "encryption_warning": "Waarschuwing",
     "topline_expiring_certificate": "Jouw SSL-certificaat vervalt binnenkort. Werk de <0>encryptie-instellingen</0> bij.",
     "topline_expired_certificate": "Jouw SSL-certificaat is vervallen. Werk de <0>encryptie-instellingen</0> bij.",
     "form_error_port_range": "Poortnummer invoeren tussen 80 en 65535",

client/src/__locales/no.json

@@ -373,7 +373,6 @@
     "encryption_issuer": "Utsteder",
     "encryption_hostnames": "Vertsnavn",
     "encryption_reset": "Er du sikker på at du vil tilbakestille krypteringsinnstillingene?",
-    "encryption_warning": "Advarsel",
     "topline_expiring_certificate": "Ditt SSL-sertifikat er i ferd med å utløpe. Oppdater <0>Krypteringsinnstillinger</0>.",
     "topline_expired_certificate": "SSL-sertifikatet har utløpt. Oppdater <0>Krypteringsinnstillinger</0>.",
     "form_error_port_range": "Skriv inn et portnummer i området 80-65535",

client/src/__locales/pl.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Zgłaszający",
     "encryption_hostnames": "Nazwy hostów",
     "encryption_reset": "Czy na pewno chcesz zresetować ustawienia szyfrowania?",
-    "encryption_warning": "Uwaga!",
     "topline_expiring_certificate": "Twój certyfikat SSL wkrótce wygaśnie. Zaktualizuj <0>Ustawienia szyfrowania</0>.",
     "topline_expired_certificate": "Twój certyfikat SSL wygasł. Zaktualizuj <0>Ustawienia szyfrowania</0>.",
     "form_error_port_range": "Wpisz numer portu z zakresu 80-65535",

client/src/__locales/pt-br.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Emissor",
     "encryption_hostnames": "Nomes dos servidores",
     "encryption_reset": "Você tem certeza de que deseja redefinir a configuração de criptografia?",
-    "encryption_warning": "Aviso",
     "topline_expiring_certificate": "Seu certificado SSL está prestes a expirar. Atualize suas <0>configurações de criptografia</]0>",
     "topline_expired_certificate": "Seu certificado SSL está expirado. Atualize suas <0>configurações de criptografia</0>",
     "form_error_port_range": "Digite um número de porta entre 80 e 65535",

client/src/__locales/pt-pt.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Emissor",
     "encryption_hostnames": "Nomes dos servidores",
     "encryption_reset": "Tem a certeza de que deseja repor a definição de criptografia?",
-    "encryption_warning": "Aviso",
     "topline_expiring_certificate": "O seu certificado SSL está prestes a expirar. Atualize as suas <0>definições de criptografia</0>.",
     "topline_expired_certificate": "O seu certificado SSL está expirado. Atualize as suas <0>definições de criptografia</0>.",
     "form_error_port_range": "Digite um numero de porta entre 80 e 65535",

client/src/__locales/ro.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Emitent",
     "encryption_hostnames": "Nume de host",
     "encryption_reset": "Sunteți sigur că doriți să resetați setările de criptare?",
-    "encryption_warning": "Avertisment",
     "topline_expiring_certificate": "Certificatul dvs. SSL este pe cale să expire. Actualizați <0>Setările de criptare</0>.",
     "topline_expired_certificate": "Certificatul dvs. SSL a expirat. Actualizați <0>Setările de criptare</0>.",
     "form_error_port_range": "Introduceți valoarea portului între 80-65535",

client/src/__locales/ru.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Издатель",
     "encryption_hostnames": "Имена хостов",
     "encryption_reset": "Вы уверены, что хотите сбросить настройки шифрования?",
-    "encryption_warning": "Предупреждение",
     "topline_expiring_certificate": "Ваш SSL-сертификат скоро истекает. Обновите <0>Настройки шифрования</0>.",
     "topline_expired_certificate": "Ваш SSL-сертификат истёк. Обновите <0>Настройки шифрования</0>.",
     "form_error_port_range": "Введите номер порта из интервала 80-65535",

client/src/__locales/sk.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Vydavateľ",
     "encryption_hostnames": "Názvy hostiteľov",
     "encryption_reset": "Naozaj chcete obnoviť nastavenia šifrovania?",
-    "encryption_warning": "Varovanie",
     "topline_expiring_certificate": "Váš SSL certifikát čoskoro vyprší. Aktualizujte <0>Nastavenia šifrovania</0>.",
     "topline_expired_certificate": "Váš SSL certifikát vypršal. Aktualizujte <0>Nastavenia šifrovania</0>.",
     "form_error_port_range": "Zadajte číslo portu v rozsahu 80-65535",

client/src/__locales/sl.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Izdajatelj",
     "encryption_hostnames": "Imena gostiteljev",
     "encryption_reset": "Ali ste prepričani, da želite ponastaviti nastavitve šifriranja?",
-    "encryption_warning": "Opozorilo",
     "topline_expiring_certificate": "Vaš e digitalno potrdilo SSL bo kmalu poteklol. Posodobite <0>Nastavitve šifriranja</0>.",
     "topline_expired_certificate": "Vaše digitalno potrdilo SSL je poteklo. Posodobi <0>Nastavitve šifriranja</0>.",
     "form_error_port_range": "Vnesite številko vrat v razponu med 80-65535",

client/src/__locales/sr-cs.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Izdavač",
     "encryption_hostnames": "Imena hostova",
     "encryption_reset": "Jeste li sigurni da želite dda resetujete postavke šifrovanja?",
-    "encryption_warning": "Upozorenje",
     "topline_expiring_certificate": "Vaš SSL sertifikat uskoro ističe. Ažurirajte <0>postavke šifrovanja</0>.",
     "topline_expired_certificate": "Vaš SSL sertifikat je istekao. Ažurirajte <0>postavke šifrovanja</0>.",
     "form_error_port_range": "Unesite vrednost porta u opsegu od 80-65535",

client/src/__locales/sv.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Utgivare",
     "encryption_hostnames": "Värdnamn",
     "encryption_reset": "Är du säker på att du vill återställa krypteringsinställningarna?",
-    "encryption_warning": "Varning",
     "topline_expiring_certificate": "Ditt SSL-certifikat håller på att gå ut. <0>Krypteringsinställningar</0>.",
     "topline_expired_certificate": "Ditt SSL-certifikat har gått ut. Uppdatera <0>Krypteringsinställningar</0>-",
     "form_error_port_range": "Ange ett portnummer inom värdena 80-65535",

client/src/__locales/th.json

@@ -262,7 +262,6 @@
     "encryption_issuer": "ผู้ออกใบรับรอง:",
     "encryption_hostnames": "ชื่อโฮส",
     "encryption_reset": "คุณแน่ใจนะว่าจะล้างค่าการเข้ารหัส?",
-    "encryption_warning": "คำเตือน",
     "topline_expiring_certificate": "ใบรับรอง SSL ของคุณกำลังจะหมดอายุ กรุณาอัปเดท <0>การตั้งค่าเข้ารหัส</0>.",
     "topline_expired_certificate": "ใบรับรอง SSL ของคุณหมดอายุแล้ว กรุณาอัปเดท <0>การตั้งค่าเข้ารหัส</0>.",
     "form_error_port_unsafe": "เป็นพอร์ทที่ไม่ปลอดภัย",

client/src/__locales/tr.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Sağlayan",
     "encryption_hostnames": "Ana makine adları",
     "encryption_reset": "Şifreleme ayarlarını sıfırlamak istediğinizden emin misiniz?",
-    "encryption_warning": "Uyarı",
     "topline_expiring_certificate": "SSL sertifikanızın süresi sona üzere. <0>Şifreleme ayarlarını</0> güncelleyin.",
     "topline_expired_certificate": "SSL sertifikanızın süresi sona erdi. <0>Şifreleme ayarlarını</0> güncelleyin.",
     "form_error_port_range": "80-65535 aralığında geçerli bir bağlantı noktası değeri girin",

client/src/__locales/uk.json

@@ -371,7 +371,7 @@
     "encryption_redirect": "Автоматично перенаправляти на HTTPS",
     "encryption_redirect_desc": "Якщо встановлено, AdGuard Home автоматично перенаправить вас з HTTP на адреси HTTPS.",
     "encryption_https": "Порт HTTPS",
-    "encryption_https_desc": "Якщо HTTPS-порт налаштовано, інтерфейс адміністратора AdGuard Home буде доступний через HTTPS, а також сервер DNS-over-HTTPS буде доступний за адресою '/dns-query'.",
+    "encryption_https_desc": "Якщо HTTPS-порт налаштовано, інтерфейс адміністратора AdGuard Home буде доступний через HTTPS, а також DNS-over-HTTPS-сервер буде доступний за адресою /dns-query.",
     "encryption_dot": "Порт DNS-over-TLS",
     "encryption_dot_desc": "Якщо цей порт налаштовано, AdGuard Home запустить на цьому порту сервер DNS-over-TLS.",
     "encryption_doq": "Порт DNS-over-QUIC",
@@ -393,7 +393,6 @@
     "encryption_issuer": "Видавець",
     "encryption_hostnames": "Назви вузлів",
     "encryption_reset": "Ви впевнені, що хочете скинути налаштування шифрування?",
-    "encryption_warning": "Увага",
     "topline_expiring_certificate": "Ваш сертифікат SSL скоро закінчиться. Оновіть <0>Налаштування шифрування</0>.",
     "topline_expired_certificate": "Термін дії вашого сертифіката SSL закінчився. Оновіть <0>Налаштування шифрування</0>.",
     "form_error_port_range": "Введіть значення порту в діапазоні 80−65535",

client/src/__locales/vi.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "Phát hành",
     "encryption_hostnames": "Tên máy chủ",
     "encryption_reset": "Bạn có chắc chắn muốn đặt lại cài đặt mã hóa?",
-    "encryption_warning": "Cảnh báo",
     "topline_expiring_certificate": "Chứng chỉ SSL của bạn sắp hết hạn. Cập nhật <0>Cài đặt mã hóa</0>.",
     "topline_expired_certificate": "Chứng chỉ SSL của bạn đã hết hạn. Cập nhật <0>Cài đặt mã hóa</0>.",
     "form_error_port_range": "Nhập giá trị cổng trong phạm vi 80-65535",

client/src/__locales/zh-cn.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "颁发者",
     "encryption_hostnames": "主机名",
     "encryption_reset": "您确定想要重置加密设置？",
-    "encryption_warning": "警告",
     "topline_expiring_certificate": "您的 SSL 证书即将过期。请更新 <0>加密设置</0> 。",
     "topline_expired_certificate": "您的 SSL 证书已过期。请更新 <0>加密设置</0> 。",
     "form_error_port_range": "输入 80 - 65535 范围内的端口值",

client/src/__locales/zh-hk.json

@@ -381,7 +381,6 @@
     "encryption_issuer": "簽發者",
     "encryption_hostnames": "主機名稱",
     "encryption_reset": "您確定要重設加密設定嗎？",
-    "encryption_warning": "警告",
     "topline_expiring_certificate": "您的 SSL 憑證即將到期。請前往<0>加密設定</0>更新。",
     "topline_expired_certificate": "您的 SSL 憑證已到期。請前往<0>加密設定</0>更新。",
     "form_error_port_range": "輸入範圍 80-65535 中的值",

client/src/__locales/zh-tw.json

@@ -393,7 +393,6 @@
     "encryption_issuer": "簽發者",
     "encryption_hostnames": "主機名稱",
     "encryption_reset": "您確定您想要重置加密設定嗎？",
-    "encryption_warning": "警告",
     "topline_expiring_certificate": "您的安全通訊端層（SSL）憑證即將到期。更新<0>加密設定</0>。",
     "topline_expired_certificate": "您的安全通訊端層（SSL）憑證為已到期的。更新<0>加密設定</0>。",
     "form_error_port_range": "輸入在 80-65535 之範圍內的連接埠號碼",

internal/dnsforward/config.go

@@ -145,7 +145,8 @@ type FilteringConfig struct {
 	IpsetListFileName string `yaml:"ipset_file"`
 }
 
-// TLSConfig is the TLS configuration for HTTPS, DNS-over-HTTPS, and DNS-over-TLS
+// TLSConfig is the TLS configuration for HTTPS, DNS-over-HTTPS, DNS-over-TLS,
+// and DNS-over-QUIC.
 type TLSConfig struct {
 	cert tls.Certificate
 

internal/filtering/servicelist.go

@@ -246,111 +246,6 @@ var blockedServices = []blockedService{{
 	Rules: []string{
 		"||mail.ru^",
 	},
-}, {
-	ID:      "mastodon",
-	Name:    "Mastodon",
-	IconSVG: []byte("<svg xmlns=\"http://www.w3.org/2000/svg\" fill=\"currentColor\" viewBox=\"0 0 512 512\"><path d=\"M433 179.11c0-97.2-63.71-125.7-63.71-125.7-62.52-28.7-228.56-28.4-290.48 0 0 0-63.72 28.5-63.72 125.7 0 115.7-6.6 259.4 105.63 289.1 40.51 10.7 75.32 13 103.33 11.4 50.81-2.8 79.32-18.1 79.32-18.1l-1.7-36.9s-36.31 11.4-77.12 10.1c-40.41-1.4-83-4.4-89.63-54a102.54 102.54 0 0 1-.9-13.9c85.63 20.9 158.65 9.1 178.75 6.7 56.12-6.7 105-41.3 111.23-72.9 9.8-49.8 9-121.5 9-121.5zm-75.12 125.2h-46.63v-114.2c0-49.7-64-51.6-64 6.9v62.5h-46.33V197c0-58.5-64-56.6-64-6.9v114.2H90.19c0-122.1-5.2-147.9 18.41-175 25.9-28.9 79.82-30.8 103.83 6.1l11.6 19.5 11.6-19.5c24.11-37.1 78.12-34.8 103.83-6.1 23.71 27.3 18.4 53 18.4 175z\"/></svg>"),
-	Rules: []string{
-		"||awscommunity.social^",
-		"||colorid.es^",
-		"||dizl.de^",
-		"||dju.social^",
-		"||dresden.network^",
-		"||fedibird.com^",
-		"||fosstodon.org^",
-		"||freiburg.social^",
-		"||glasgow.social^",
-		"||h4.io^",
-		"||hachyderm.io^",
-		"||hessen.social^",
-		"||hispagatos.space^",
-		"||home.social^",
-		"||hostux.social^",
-		"||ieji.de^",
-		"||indieweb.social^",
-		"||ioc.exchange^",
-		"||kfem.cat^",
-		"||kolektiva.social^",
-		"||kurry.social^",
-		"||libretooth.gr^",
-		"||livellosegreto.it^",
-		"||lor.sh^",
-		"||m.cmx.im^",
-		"||mast.dragon-fly.club^",
-		"||masto.ai^",
-		"||masto.es^",
-		"||masto.nobigtech.es^",
-		"||masto.pt^",
-		"||mastodon-belgium.be^",
-		"||mastodon.au^",
-		"||mastodon.bida.im^",
-		"||mastodon.eus^",
-		"||mastodon.ie^",
-		"||mastodon.iriseden.eu^",
-		"||mastodon.nl^",
-		"||mastodon.nu^",
-		"||mastodon.nz^",
-		"||mastodon.online^",
-		"||mastodon.scot^",
-		"||mastodon.sdf.org^",
-		"||mastodon.se^",
-		"||mastodon.social^",
-		"||mastodon.uno^",
-		"||mastodon.world^",
-		"||mastodon.zaclys.com^",
-		"||mastodonapp.uk^",
-		"||mastodont.cat^",
-		"||mastodontech.de^",
-		"||mastodontti.fi^",
-		"||mastouille.fr^",
-		"||mathstodon.xyz^",
-		"||mindly.social^",
-		"||mstdn.ca^",
-		"||mstdn.jp^",
-		"||mstdn.party^",
-		"||mstdn.social^",
-		"||muenchen.social^",
-		"||muenster.im^",
-		"||newsie.social^",
-		"||noc.social^",
-		"||norden.social^",
-		"||nrw.social^",
-		"||o3o.ca^",
-		"||ohai.social^",
-		"||oslo.town^",
-		"||pettingzoo.co^",
-		"||pewtix.com^",
-		"||phpc.social^",
-		"||piaille.fr^",
-		"||pol.social^",
-		"||qdon.space^",
-		"||ravenation.club^",
-		"||rollenspiel.social^",
-		"||ruby.social^",
-		"||ruhr.social^",
-		"||sfba.social^",
-		"||snabelen.no^",
-		"||social.anoxinon.de^",
-		"||social.cologne^",
-		"||social.dev-wiki.de^",
-		"||social.politicaconciencia.org^",
-		"||social.vivaldi.net^",
-		"||sociale.network^",
-		"||sueden.social^",
-		"||techhub.social^",
-		"||theblower.au^",
-		"||tkz.one^",
-		"||toot.aquilenet.fr^",
-		"||toot.funami.tech^",
-		"||toot.wales^",
-		"||troet.cafe^",
-		"||uiuxdev.social^",
-		"||union.place^",
-		"||universeodon.com^",
-		"||urbanists.social^",
-		"||vocalodon.net^",
-		"||wxw.moe^",
-	},
 }, {
 	ID:      "minecraft",
 	Name:    "Minecraft",

internal/home/config.go

@@ -20,6 +20,7 @@ import (
 	"github.com/AdguardTeam/golibs/log"
 	"github.com/AdguardTeam/golibs/timeutil"
 	"github.com/google/renameio/maybe"
+	"golang.org/x/exp/slices"
 	yaml "gopkg.in/yaml.v3"
 )
 
@@ -113,8 +114,8 @@ type configuration struct {
 	// An active session is automatically refreshed once a day.
 	WebSessionTTLHours uint32 `yaml:"web_session_ttl"`
 
-	DNS dnsConfig         `yaml:"dns"`
-	TLS tlsConfigSettings `yaml:"tls"`
+	DNS dnsConfig        `yaml:"dns"`
+	TLS tlsConfiguration `yaml:"tls"`
 
 	// Filters reflects the filters from [filtering.Config].  It's cloned to the
 	// config used in the filtering module at the startup.  Afterwards it's
@@ -199,7 +200,8 @@ type dnsConfig struct {
 	UseHTTP3Upstreams bool `yaml:"use_http3_upstreams"`
 }
 
-type tlsConfigSettings struct {
+// tlsConfiguration is the on-disk TLS configuration.
+type tlsConfiguration struct {
 	Enabled         bool   `yaml:"enabled" json:"enabled"`                                 // Enabled is the encryption (DoT/DoH/HTTPS) status
 	ServerName      string `yaml:"server_name" json:"server_name,omitempty"`               // ServerName is the hostname of your HTTPS/TLS server
 	ForceHTTPS      bool   `yaml:"force_https" json:"force_https"`                         // ForceHTTPS: if true, forces HTTP->HTTPS redirect
@@ -223,6 +225,29 @@ type tlsConfigSettings struct {
 	dnsforward.TLSConfig `yaml:",inline" json:",inline"`
 }
 
+// cloneForEncoding returns a clone of c with all top-level fields of c and all
+// exported and YAML-encoded fields of c.TLSConfig cloned.
+//
+// TODO(a.garipov): This is better than races, but still not good enough.
+func (c *tlsConfiguration) cloneForEncoding() (cloned *tlsConfiguration) {
+	if c == nil {
+		return nil
+	}
+
+	v := *c
+	cloned = &v
+	cloned.TLSConfig = dnsforward.TLSConfig{
+		CertificateChain:   c.CertificateChain,
+		PrivateKey:         c.PrivateKey,
+		CertificatePath:    c.CertificatePath,
+		PrivateKeyPath:     c.PrivateKeyPath,
+		OverrideTLSCiphers: slices.Clone(c.OverrideTLSCiphers),
+		StrictSNICheck:     c.StrictSNICheck,
+	}
+
+	return cloned
+}
+
 // config is the global configuration structure.
 //
 // TODO(a.garipov, e.burkov): This global is awful and must be removed.
@@ -273,7 +298,7 @@ var config = &configuration{
 		UpstreamTimeout: timeutil.Duration{Duration: dnsforward.DefaultTimeout},
 		UsePrivateRDNS:  true,
 	},
-	TLS: tlsConfigSettings{
+	TLS: tlsConfiguration{
 		PortHTTPS:       defaultPortHTTPS,
 		PortDNSOverTLS:  defaultPortTLS, // needs to be passed through to dnsproxy
 		PortDNSOverQUIC: defaultPortQUIC,
@@ -442,7 +467,7 @@ func (c *configuration) write() (err error) {
 	}
 
 	if Context.tls != nil {
-		tlsConf := tlsConfigSettings{}
+		tlsConf := tlsConfiguration{}
 		Context.tls.WriteDiskConfig(&tlsConf)
 		config.TLS = tlsConf
 	}

internal/home/controlupdate.go

@@ -154,7 +154,7 @@ func (vr *versionResponse) setAllowedToAutoUpdate() (err error) {
 		return nil
 	}
 
-	tlsConf := &tlsConfigSettings{}
+	tlsConf := &tlsConfiguration{}
 	Context.tls.WriteDiskConfig(tlsConf)
 
 	canUpdate := true
@@ -172,7 +172,7 @@ func (vr *versionResponse) setAllowedToAutoUpdate() (err error) {
 
 // tlsConfUsesPrivilegedPorts returns true if the provided TLS configuration
 // indicates that privileged ports are used.
-func tlsConfUsesPrivilegedPorts(c *tlsConfigSettings) (ok bool) {
+func tlsConfUsesPrivilegedPorts(c *tlsConfiguration) (ok bool) {
 	return c.Enabled && (c.PortHTTPS < 1024 || c.PortDNSOverTLS < 1024 || c.PortDNSOverQUIC < 1024)
 }
 

internal/home/dns.go

@@ -205,7 +205,7 @@ func generateServerConfig() (newConf dnsforward.ServerConfig, err error) {
 		OnDNSRequest:    onDNSRequest,
 	}
 
-	tlsConf := tlsConfigSettings{}
+	tlsConf := tlsConfiguration{}
 	Context.tls.WriteDiskConfig(&tlsConf)
 	if tlsConf.Enabled {
 		newConf.TLSConfig = tlsConf.TLSConfig
@@ -250,7 +250,7 @@ func generateServerConfig() (newConf dnsforward.ServerConfig, err error) {
 	return newConf, nil
 }
 
-func newDNSCrypt(hosts []netip.Addr, tlsConf tlsConfigSettings) (dnscc dnsforward.DNSCryptConfig, err error) {
+func newDNSCrypt(hosts []netip.Addr, tlsConf tlsConfiguration) (dnscc dnsforward.DNSCryptConfig, err error) {
 	if tlsConf.DNSCryptConfigFile == "" {
 		return dnscc, errors.Error("no dnscrypt_config_file")
 	}
@@ -288,7 +288,7 @@ type dnsEncryption struct {
 }
 
 func getDNSEncryption() (de dnsEncryption) {
-	tlsConf := tlsConfigSettings{}
+	tlsConf := tlsConfiguration{}
 
 	Context.tls.WriteDiskConfig(&tlsConf)
 

internal/home/home.go

@@ -512,7 +512,7 @@ func run(opts options, clientBuildFS fs.FS) {
 	}
 	config.Users = nil
 
-	Context.tls, err = newTLSManager(config.TLS)
+	Context.tls, err = newTLSManager(&config.TLS)
 	if err != nil {
 		log.Fatalf("initializing tls: %s", err)
 	}
@@ -817,7 +817,7 @@ func printWebAddrs(proto, addr string, port, betaPort int) {
 // printHTTPAddresses prints the IP addresses which user can use to access the
 // admin interface.  proto is either schemeHTTP or schemeHTTPS.
 func printHTTPAddresses(proto string) {
-	tlsConf := tlsConfigSettings{}
+	tlsConf := tlsConfiguration{}
 	if Context.tls != nil {
 		Context.tls.WriteDiskConfig(&tlsConf)
 	}

internal/home/mobileconfig_test.go

@@ -32,7 +32,11 @@ func setupDNSIPs(t testing.TB) {
 		},
 	}
 
-	Context.tls = &tlsManager{}
+	var err error
+	Context.tls, err = newTLSManager(&tlsConfiguration{
+		Enabled: true,
+	})
+	require.NoError(t, err)
 }
 
 func TestHandleMobileConfigDoH(t *testing.T) {
@@ -65,7 +69,11 @@ func TestHandleMobileConfigDoH(t *testing.T) {
 		oldTLSConf := Context.tls
 		t.Cleanup(func() { Context.tls = oldTLSConf })
 
-		Context.tls = &tlsManager{conf: tlsConfigSettings{}}
+		var err error
+		Context.tls, err = newTLSManager(&tlsConfiguration{
+			Enabled: true,
+		})
+		require.NoError(t, err)
 
 		r, err := http.NewRequest(http.MethodGet, "https://example.com:12345/apple/doh.mobileconfig", nil)
 		require.NoError(t, err)
@@ -137,7 +145,11 @@ func TestHandleMobileConfigDoT(t *testing.T) {
 		oldTLSConf := Context.tls
 		t.Cleanup(func() { Context.tls = oldTLSConf })
 
-		Context.tls = &tlsManager{conf: tlsConfigSettings{}}
+		var err error
+		Context.tls, err = newTLSManager(&tlsConfiguration{
+			Enabled: true,
+		})
+		require.NoError(t, err)
 
 		r, err := http.NewRequest(http.MethodGet, "https://example.com:12345/apple/dot.mobileconfig", nil)
 		require.NoError(t, err)

internal/home/tls.go

@@ -8,42 +8,39 @@ import (
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
-	"encoding/base64"
-	"encoding/json"
 	"encoding/pem"
 	"fmt"
-	"net/http"
 	"os"
 	"strings"
 	"sync"
 	"time"
 
-	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
-	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
 	"github.com/AdguardTeam/AdGuardHome/internal/aghtls"
-	"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
 	"github.com/AdguardTeam/golibs/errors"
 	"github.com/AdguardTeam/golibs/log"
-	"github.com/google/go-cmp/cmp"
 )
 
 // tlsManager contains the current configuration and state of AdGuard Home TLS
 // encryption.
 type tlsManager struct {
-	// status is the current status of the configuration.  It is never nil.
-	status *tlsConfigStatus
+	// mu protects all fields.
+	mu *sync.RWMutex
 
 	// certLastMod is the last modification time of the certificate file.
 	certLastMod time.Time
 
-	confLock sync.Mutex
-	conf     tlsConfigSettings
+	// status is the current status of the configuration.  It is never nil.
+	status *tlsConfigStatus
+
+	// conf is the current TLS configuration.
+	conf *tlsConfiguration
 }
 
 // newTLSManager initializes the TLS configuration.
-func newTLSManager(conf tlsConfigSettings) (m *tlsManager, err error) {
+func newTLSManager(conf *tlsConfiguration) (m *tlsManager, err error) {
 	m = &tlsManager{
 		status: &tlsConfigStatus{},
+		mu:     &sync.RWMutex{},
 		conf:   conf,
 	}
 
@@ -59,9 +56,19 @@ func newTLSManager(conf tlsConfigSettings) (m *tlsManager, err error) {
 	return m, nil
 }
 
+// confForEncoding returns a partial clone of the current TLS configuration.  It
+// is safe for concurrent use.
+func (m *tlsManager) confForEncoding() (conf *tlsConfiguration) {
+	m.mu.RLock()
+	defer m.mu.RUnlock()
+
+	return m.conf.cloneForEncoding()
+}
+
 // load reloads the TLS configuration from files or data from the config file.
+// m.mu is expected to be locked for writing.
 func (m *tlsManager) load() (err error) {
-	err = loadTLSConf(&m.conf, m.status)
+	err = loadTLSConf(m.conf, m.status)
 	if err != nil {
 		return fmt.Errorf("loading config: %w", err)
 	}
@@ -70,14 +77,12 @@ func (m *tlsManager) load() (err error) {
 }
 
 // WriteDiskConfig - write config
-func (m *tlsManager) WriteDiskConfig(conf *tlsConfigSettings) {
-	m.confLock.Lock()
-	*conf = m.conf
-	m.confLock.Unlock()
+func (m *tlsManager) WriteDiskConfig(conf *tlsConfiguration) {
+	*conf = *m.confForEncoding()
 }
 
 // setCertFileTime sets t.certLastMod from the certificate.  If there are
-// errors, setCertFileTime logs them.
+// errors, setCertFileTime logs them.  mu is expected to be locked for writing.
 func (m *tlsManager) setCertFileTime() {
 	if len(m.conf.CertificatePath) == 0 {
 		return
@@ -97,27 +102,22 @@ func (m *tlsManager) setCertFileTime() {
 func (m *tlsManager) start() {
 	m.registerWebHandlers()
 
-	m.confLock.Lock()
-	tlsConf := m.conf
-	m.confLock.Unlock()
-
 	// The background context is used because the TLSConfigChanged wraps context
 	// with timeout on its own and shuts down the server, which handles current
 	// request.
-	Context.web.TLSConfigChanged(context.Background(), tlsConf)
+	Context.web.TLSConfigChanged(context.Background(), m.confForEncoding())
 }
 
-// reload updates the configuration and restarts t.
+// reload updates the configuration and restarts m.
 func (m *tlsManager) reload() {
-	m.confLock.Lock()
-	tlsConf := m.conf
-	m.confLock.Unlock()
+	m.mu.Lock()
+	defer m.mu.Unlock()
 
-	if !tlsConf.Enabled || len(tlsConf.CertificatePath) == 0 {
+	if !m.conf.Enabled || len(m.conf.CertificatePath) == 0 {
 		return
 	}
 
-	fi, err := os.Stat(tlsConf.CertificatePath)
+	fi, err := os.Stat(m.conf.CertificatePath)
 	if err != nil {
 		log.Error("tls: %s", err)
 
@@ -132,9 +132,7 @@ func (m *tlsManager) reload() {
 
 	log.Debug("tls: certificate file is modified")
 
-	m.confLock.Lock()
 	err = m.load()
-	m.confLock.Unlock()
 	if err != nil {
 		log.Error("tls: reloading: %s", err)
 
@@ -145,19 +143,15 @@ func (m *tlsManager) reload() {
 
 	_ = reconfigureDNSServer()
 
-	m.confLock.Lock()
-	tlsConf = m.conf
-	m.confLock.Unlock()
-
 	// The background context is used because the TLSConfigChanged wraps context
 	// with timeout on its own and shuts down the server, which handles current
 	// request.
-	Context.web.TLSConfigChanged(context.Background(), tlsConf)
+	Context.web.TLSConfigChanged(context.Background(), m.conf)
 }
 
 // loadTLSConf loads and validates the TLS configuration.  The returned error is
 // also set in status.WarningValidation.
-func loadTLSConf(tlsConf *tlsConfigSettings, status *tlsConfigStatus) (err error) {
+func loadTLSConf(tlsConf *tlsConfiguration, status *tlsConfigStatus) (err error) {
 	defer func() {
 		if err != nil {
 			status.WarningValidation = err.Error()
@@ -172,13 +166,10 @@ func loadTLSConf(tlsConf *tlsConfigSettings, status *tlsConfigStatus) (err error
 	tlsConf.PrivateKeyData = []byte(tlsConf.PrivateKey)
 
 	if tlsConf.CertificatePath != "" {
-		if tlsConf.CertificateChain != "" {
-			return errors.Error("certificate data and file can't be set together")
-		}
-
-		tlsConf.CertificateChainData, err = os.ReadFile(tlsConf.CertificatePath)
+		err = loadCert(tlsConf)
 		if err != nil {
-			return fmt.Errorf("reading cert file: %w", err)
+			// Don't wrap the error, since it's informative enough as is.
+			return err
 		}
 
 		// Set status.ValidCert to true to signal the frontend that the
@@ -187,13 +178,10 @@ func loadTLSConf(tlsConf *tlsConfigSettings, status *tlsConfigStatus) (err error
 	}
 
 	if tlsConf.PrivateKeyPath != "" {
-		if tlsConf.PrivateKey != "" {
-			return errors.Error("private key data and file can't be set together")
-		}
-
-		tlsConf.PrivateKeyData, err = os.ReadFile(tlsConf.PrivateKeyPath)
+		err = loadPKey(tlsConf)
 		if err != nil {
-			return fmt.Errorf("reading key file: %w", err)
+			// Don't wrap the error, since it's informative enough as is.
+			return err
 		}
 
 		status.ValidKey = true
@@ -212,278 +200,29 @@ func loadTLSConf(tlsConf *tlsConfigSettings, status *tlsConfigStatus) (err error
 	return nil
 }
 
-// tlsConfigStatus contains the status of a certificate chain and key pair.
-type tlsConfigStatus struct {
-	// Subject is the subject of the first certificate in the chain.
-	Subject string `json:"subject,omitempty"`
-
-	// Issuer is the issuer of the first certificate in the chain.
-	Issuer string `json:"issuer,omitempty"`
-
-	// KeyType is the type of the private key.
-	KeyType string `json:"key_type,omitempty"`
-
-	// NotBefore is the NotBefore field of the first certificate in the chain.
-	NotBefore time.Time `json:"not_before,omitempty"`
-
-	// NotAfter is the NotAfter field of the first certificate in the chain.
-	NotAfter time.Time `json:"not_after,omitempty"`
-
-	// WarningValidation is a validation warning message with the issue
-	// description.
-	WarningValidation string `json:"warning_validation,omitempty"`
-
-	// DNSNames is the value of SubjectAltNames field of the first certificate
-	// in the chain.
-	DNSNames []string `json:"dns_names"`
-
-	// ValidCert is true if the specified certificate chain is a valid chain of
-	// X509 certificates.
-	ValidCert bool `json:"valid_cert"`
-
-	// ValidChain is true if the specified certificate chain is verified and
-	// issued by a known CA.
-	ValidChain bool `json:"valid_chain"`
-
-	// ValidKey is true if the key is a valid private key.
-	ValidKey bool `json:"valid_key"`
-
-	// ValidPair is true if both certificate and private key are correct for
-	// each other.
-	ValidPair bool `json:"valid_pair"`
-}
-
-// tlsConfig is the TLS configuration and status response.
-type tlsConfig struct {
-	*tlsConfigStatus     `json:",inline"`
-	tlsConfigSettingsExt `json:",inline"`
-}
-
-// tlsConfigSettingsExt is used to (un)marshal the PrivateKeySaved field to
-// ensure that clients don't send and receive previously saved private keys.
-type tlsConfigSettingsExt struct {
-	tlsConfigSettings `json:",inline"`
-
-	// PrivateKeySaved is true if the private key is saved as a string and omit
-	// key from answer.
-	PrivateKeySaved bool `yaml:"-" json:"private_key_saved,inline"`
-}
-
-func (m *tlsManager) handleTLSStatus(w http.ResponseWriter, r *http.Request) {
-	m.confLock.Lock()
-	data := tlsConfig{
-		tlsConfigSettingsExt: tlsConfigSettingsExt{
-			tlsConfigSettings: m.conf,
-		},
-		tlsConfigStatus: m.status,
+// loadCert loads the certificate from file, if necessary.
+func loadCert(tlsConf *tlsConfiguration) (err error) {
+	if tlsConf.CertificateChain != "" {
+		return errors.Error("certificate data and file can't be set together")
 	}
-	m.confLock.Unlock()
 
-	marshalTLS(w, r, data)
-}
-
-func (m *tlsManager) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
-	setts, err := unmarshalTLS(r)
+	tlsConf.CertificateChainData, err = os.ReadFile(tlsConf.CertificatePath)
 	if err != nil {
-		aghhttp.Error(r, w, http.StatusBadRequest, "Failed to unmarshal TLS config: %s", err)
-
-		return
+		return fmt.Errorf("reading cert file: %w", err)
 	}
 
-	if setts.PrivateKeySaved {
-		setts.PrivateKey = m.conf.PrivateKey
-	}
-
-	if setts.Enabled {
-		err = validatePorts(
-			tcpPort(config.BindPort),
-			tcpPort(config.BetaBindPort),
-			tcpPort(setts.PortHTTPS),
-			tcpPort(setts.PortDNSOverTLS),
-			tcpPort(setts.PortDNSCrypt),
-			udpPort(config.DNS.Port),
-			udpPort(setts.PortDNSOverQUIC),
-		)
-		if err != nil {
-			aghhttp.Error(r, w, http.StatusBadRequest, "%s", err)
-
-			return
-		}
-	}
-
-	if !webCheckPortAvailable(setts.PortHTTPS) {
-		aghhttp.Error(
-			r,
-			w,
-			http.StatusBadRequest,
-			"port %d is not available, cannot enable HTTPS on it",
-			setts.PortHTTPS,
-		)
-
-		return
-	}
-
-	// Skip the error check, since we are only interested in the value of
-	// status.WarningValidation.
-	status := &tlsConfigStatus{}
-	_ = loadTLSConf(&setts.tlsConfigSettings, status)
-	resp := tlsConfig{
-		tlsConfigSettingsExt: setts,
-		tlsConfigStatus:      status,
-	}
-
-	marshalTLS(w, r, resp)
+	return nil
 }
 
-func (m *tlsManager) setConfig(newConf tlsConfigSettings, status *tlsConfigStatus) (restartHTTPS bool) {
-	m.confLock.Lock()
-	defer m.confLock.Unlock()
-
-	// Reset the DNSCrypt data before comparing, since we currently do not
-	// accept these from the frontend.
-	//
-	// TODO(a.garipov): Define a custom comparer for dnsforward.TLSConfig.
-	newConf.DNSCryptConfigFile = m.conf.DNSCryptConfigFile
-	newConf.PortDNSCrypt = m.conf.PortDNSCrypt
-	if !cmp.Equal(m.conf, newConf, cmp.AllowUnexported(dnsforward.TLSConfig{})) {
-		log.Info("tls config has changed, restarting https server")
-		restartHTTPS = true
-	} else {
-		log.Info("tls: config has not changed")
+// loadPKey loads the private key from file, if necessary.
+func loadPKey(tlsConf *tlsConfiguration) (err error) {
+	if tlsConf.PrivateKey != "" {
+		return errors.Error("private key data and file cannot be set together")
 	}
 
-	// Note: don't do just `t.conf = data` because we must preserve all other members of t.conf
-	m.conf.Enabled = newConf.Enabled
-	m.conf.ServerName = newConf.ServerName
-	m.conf.ForceHTTPS = newConf.ForceHTTPS
-	m.conf.PortHTTPS = newConf.PortHTTPS
-	m.conf.PortDNSOverTLS = newConf.PortDNSOverTLS
-	m.conf.PortDNSOverQUIC = newConf.PortDNSOverQUIC
-	m.conf.CertificateChain = newConf.CertificateChain
-	m.conf.CertificatePath = newConf.CertificatePath
-	m.conf.CertificateChainData = newConf.CertificateChainData
-	m.conf.PrivateKey = newConf.PrivateKey
-	m.conf.PrivateKeyPath = newConf.PrivateKeyPath
-	m.conf.PrivateKeyData = newConf.PrivateKeyData
-	m.status = status
-
-	return restartHTTPS
-}
-
-func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
-	req, err := unmarshalTLS(r)
+	tlsConf.PrivateKeyData, err = os.ReadFile(tlsConf.PrivateKeyPath)
 	if err != nil {
-		aghhttp.Error(r, w, http.StatusBadRequest, "Failed to unmarshal TLS config: %s", err)
-
-		return
-	}
-
-	if req.PrivateKeySaved {
-		req.PrivateKey = m.conf.PrivateKey
-	}
-
-	if req.Enabled {
-		err = validatePorts(
-			tcpPort(config.BindPort),
-			tcpPort(config.BetaBindPort),
-			tcpPort(req.PortHTTPS),
-			tcpPort(req.PortDNSOverTLS),
-			tcpPort(req.PortDNSCrypt),
-			udpPort(config.DNS.Port),
-			udpPort(req.PortDNSOverQUIC),
-		)
-		if err != nil {
-			aghhttp.Error(r, w, http.StatusBadRequest, "%s", err)
-
-			return
-		}
-	}
-
-	// TODO(e.burkov):  Investigate and perhaps check other ports.
-	if !webCheckPortAvailable(req.PortHTTPS) {
-		aghhttp.Error(
-			r,
-			w,
-			http.StatusBadRequest,
-			"port %d is not available, cannot enable https on it",
-			req.PortHTTPS,
-		)
-
-		return
-	}
-
-	status := &tlsConfigStatus{}
-	err = loadTLSConf(&req.tlsConfigSettings, status)
-	if err != nil {
-		resp := tlsConfig{
-			tlsConfigSettingsExt: req,
-			tlsConfigStatus:      status,
-		}
-
-		marshalTLS(w, r, resp)
-
-		return
-	}
-
-	restartHTTPS := m.setConfig(req.tlsConfigSettings, status)
-	m.setCertFileTime()
-	onConfigModified()
-
-	err = reconfigureDNSServer()
-	if err != nil {
-		aghhttp.Error(r, w, http.StatusInternalServerError, "%s", err)
-
-		return
-	}
-
-	resp := tlsConfig{
-		tlsConfigSettingsExt: req,
-		tlsConfigStatus:      m.status,
-	}
-
-	marshalTLS(w, r, resp)
-	if f, ok := w.(http.Flusher); ok {
-		f.Flush()
-	}
-
-	// The background context is used because the TLSConfigChanged wraps context
-	// with timeout on its own and shuts down the server, which handles current
-	// request. It is also should be done in a separate goroutine due to the
-	// same reason.
-	if restartHTTPS {
-		go func() {
-			Context.web.TLSConfigChanged(context.Background(), req.tlsConfigSettings)
-		}()
-	}
-}
-
-// validatePorts validates the uniqueness of TCP and UDP ports for AdGuard Home
-// DNS protocols.
-func validatePorts(
-	bindPort, betaBindPort, dohPort, dotPort, dnscryptTCPPort tcpPort,
-	dnsPort, doqPort udpPort,
-) (err error) {
-	tcpPorts := aghalg.UniqChecker[tcpPort]{}
-	addPorts(
-		tcpPorts,
-		tcpPort(bindPort),
-		tcpPort(betaBindPort),
-		tcpPort(dohPort),
-		tcpPort(dotPort),
-		tcpPort(dnscryptTCPPort),
-	)
-
-	err = tcpPorts.Validate()
-	if err != nil {
-		return fmt.Errorf("validating tcp ports: %w", err)
-	}
-
-	udpPorts := aghalg.UniqChecker[udpPort]{}
-	addPorts(udpPorts, udpPort(dnsPort), udpPort(doqPort))
-
-	err = udpPorts.Validate()
-	if err != nil {
-		return fmt.Errorf("validating udp ports: %w", err)
+		return fmt.Errorf("reading key file: %w", err)
 	}
 
 	return nil
@@ -700,61 +439,3 @@ func parsePrivateKey(der []byte) (key crypto.PrivateKey, typ string, err error)
 
 	return nil, "", errors.Error("tls: failed to parse private key")
 }
-
-// unmarshalTLS handles base64-encoded certificates transparently
-func unmarshalTLS(r *http.Request) (tlsConfigSettingsExt, error) {
-	data := tlsConfigSettingsExt{}
-	err := json.NewDecoder(r.Body).Decode(&data)
-	if err != nil {
-		return data, fmt.Errorf("failed to parse new TLS config json: %w", err)
-	}
-
-	if data.CertificateChain != "" {
-		var cert []byte
-		cert, err = base64.StdEncoding.DecodeString(data.CertificateChain)
-		if err != nil {
-			return data, fmt.Errorf("failed to base64-decode certificate chain: %w", err)
-		}
-
-		data.CertificateChain = string(cert)
-		if data.CertificatePath != "" {
-			return data, fmt.Errorf("certificate data and file can't be set together")
-		}
-	}
-
-	if data.PrivateKey != "" {
-		var key []byte
-		key, err = base64.StdEncoding.DecodeString(data.PrivateKey)
-		if err != nil {
-			return data, fmt.Errorf("failed to base64-decode private key: %w", err)
-		}
-
-		data.PrivateKey = string(key)
-		if data.PrivateKeyPath != "" {
-			return data, fmt.Errorf("private key data and file can't be set together")
-		}
-	}
-
-	return data, nil
-}
-
-func marshalTLS(w http.ResponseWriter, r *http.Request, data tlsConfig) {
-	if data.CertificateChain != "" {
-		encoded := base64.StdEncoding.EncodeToString([]byte(data.CertificateChain))
-		data.CertificateChain = encoded
-	}
-
-	if data.PrivateKey != "" {
-		data.PrivateKeySaved = true
-		data.PrivateKey = ""
-	}
-
-	_ = aghhttp.WriteJSONResponse(w, r, data)
-}
-
-// registerWebHandlers registers HTTP handlers for TLS configuration.
-func (m *tlsManager) registerWebHandlers() {
-	httpRegister(http.MethodGet, "/control/tls/status", m.handleTLSStatus)
-	httpRegister(http.MethodPost, "/control/tls/configure", m.handleTLSConfigure)
-	httpRegister(http.MethodPost, "/control/tls/validate", m.handleTLSValidate)
-}

internal/home/tlshttp.go

@@ -0,0 +1,362 @@
+package home
+
+import (
+	"context"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"time"
+
+	"github.com/AdguardTeam/AdGuardHome/internal/aghalg"
+	"github.com/AdguardTeam/AdGuardHome/internal/aghhttp"
+	"github.com/AdguardTeam/AdGuardHome/internal/dnsforward"
+	"github.com/AdguardTeam/golibs/log"
+	"github.com/google/go-cmp/cmp"
+)
+
+// Encryption Settings HTTP API
+
+// tlsConfigStatus contains the status of a certificate chain and key pair.
+type tlsConfigStatus struct {
+	// Subject is the subject of the first certificate in the chain.
+	Subject string `json:"subject,omitempty"`
+
+	// Issuer is the issuer of the first certificate in the chain.
+	Issuer string `json:"issuer,omitempty"`
+
+	// KeyType is the type of the private key.
+	KeyType string `json:"key_type,omitempty"`
+
+	// NotBefore is the NotBefore field of the first certificate in the chain.
+	NotBefore time.Time `json:"not_before,omitempty"`
+
+	// NotAfter is the NotAfter field of the first certificate in the chain.
+	NotAfter time.Time `json:"not_after,omitempty"`
+
+	// WarningValidation is a validation warning message with the issue
+	// description.
+	WarningValidation string `json:"warning_validation,omitempty"`
+
+	// DNSNames is the value of SubjectAltNames field of the first certificate
+	// in the chain.
+	DNSNames []string `json:"dns_names"`
+
+	// ValidCert is true if the specified certificate chain is a valid chain of
+	// X509 certificates.
+	ValidCert bool `json:"valid_cert"`
+
+	// ValidChain is true if the specified certificate chain is verified and
+	// issued by a known CA.
+	ValidChain bool `json:"valid_chain"`
+
+	// ValidKey is true if the key is a valid private key.
+	ValidKey bool `json:"valid_key"`
+
+	// ValidPair is true if both certificate and private key are correct for
+	// each other.
+	ValidPair bool `json:"valid_pair"`
+}
+
+// tlsConfigResp is the TLS configuration and status response.
+type tlsConfigResp struct {
+	*tlsConfigStatus
+	*tlsConfiguration
+
+	// PrivateKeySaved is true if the private key is saved as a string and omit
+	// key from answer.
+	PrivateKeySaved bool `yaml:"-" json:"private_key_saved"`
+}
+
+// tlsConfigReq is the TLS configuration request.
+type tlsConfigReq struct {
+	tlsConfiguration
+
+	// PrivateKeySaved is true if the private key is saved as a string and omit
+	// key from answer.
+	PrivateKeySaved bool `yaml:"-" json:"private_key_saved"`
+}
+
+// handleTLSStatus is the handler for the GET /control/tls/status HTTP API.
+func (m *tlsManager) handleTLSStatus(w http.ResponseWriter, r *http.Request) {
+	var resp *tlsConfigResp
+	func() {
+		m.mu.RLock()
+		defer m.mu.RUnlock()
+
+		resp = &tlsConfigResp{
+			tlsConfigStatus:  m.status,
+			tlsConfiguration: m.conf.cloneForEncoding(),
+		}
+	}()
+
+	marshalTLS(w, r, resp)
+}
+
+// handleTLSValidate is the handler for the POST /control/tls/validate HTTP API.
+func (m *tlsManager) handleTLSValidate(w http.ResponseWriter, r *http.Request) {
+	req, err := unmarshalTLS(r)
+	if err != nil {
+		aghhttp.Error(r, w, http.StatusBadRequest, "Failed to unmarshal TLS config: %s", err)
+
+		return
+	}
+
+	if req.PrivateKeySaved {
+		req.PrivateKey = m.confForEncoding().PrivateKey
+	}
+
+	if req.Enabled {
+		err = validatePorts(
+			tcpPort(config.BindPort),
+			tcpPort(config.BetaBindPort),
+			tcpPort(req.PortHTTPS),
+			tcpPort(req.PortDNSOverTLS),
+			tcpPort(req.PortDNSCrypt),
+			udpPort(config.DNS.Port),
+			udpPort(req.PortDNSOverQUIC),
+		)
+		if err != nil {
+			aghhttp.Error(r, w, http.StatusBadRequest, "%s", err)
+
+			return
+		}
+	}
+
+	if !webCheckPortAvailable(req.PortHTTPS) {
+		aghhttp.Error(
+			r,
+			w,
+			http.StatusBadRequest,
+			"port %d is not available, cannot enable HTTPS on it",
+			req.PortHTTPS,
+		)
+
+		return
+	}
+
+	resp := &tlsConfigResp{
+		tlsConfigStatus:  &tlsConfigStatus{},
+		tlsConfiguration: &req.tlsConfiguration,
+	}
+
+	// Skip the error check, since we are only interested in the value of
+	// resl.tlsConfigStatus.WarningValidation.
+	_ = loadTLSConf(resp.tlsConfiguration, resp.tlsConfigStatus)
+
+	marshalTLS(w, r, resp)
+}
+
+// validatePorts validates the uniqueness of TCP and UDP ports for AdGuard Home
+// DNS protocols.
+func validatePorts(
+	bindPort, betaBindPort, dohPort, dotPort, dnscryptTCPPort tcpPort,
+	dnsPort, doqPort udpPort,
+) (err error) {
+	tcpPorts := aghalg.UniqChecker[tcpPort]{}
+	addPorts(
+		tcpPorts,
+		tcpPort(bindPort),
+		tcpPort(betaBindPort),
+		tcpPort(dohPort),
+		tcpPort(dotPort),
+		tcpPort(dnscryptTCPPort),
+	)
+
+	err = tcpPorts.Validate()
+	if err != nil {
+		return fmt.Errorf("validating tcp ports: %w", err)
+	}
+
+	udpPorts := aghalg.UniqChecker[udpPort]{}
+	addPorts(udpPorts, udpPort(dnsPort), udpPort(doqPort))
+
+	err = udpPorts.Validate()
+	if err != nil {
+		return fmt.Errorf("validating udp ports: %w", err)
+	}
+
+	return nil
+}
+
+// handleTLSConfigure is the handler for the POST /control/tls/configure HTTP
+// API.
+func (m *tlsManager) handleTLSConfigure(w http.ResponseWriter, r *http.Request) {
+	req, err := unmarshalTLS(r)
+	if err != nil {
+		aghhttp.Error(r, w, http.StatusBadRequest, "Failed to unmarshal TLS config: %s", err)
+
+		return
+	}
+
+	if req.PrivateKeySaved {
+		req.PrivateKey = m.confForEncoding().PrivateKey
+	}
+
+	if req.Enabled {
+		err = validatePorts(
+			tcpPort(config.BindPort),
+			tcpPort(config.BetaBindPort),
+			tcpPort(req.PortHTTPS),
+			tcpPort(req.PortDNSOverTLS),
+			tcpPort(req.PortDNSCrypt),
+			udpPort(config.DNS.Port),
+			udpPort(req.PortDNSOverQUIC),
+		)
+		if err != nil {
+			aghhttp.Error(r, w, http.StatusBadRequest, "%s", err)
+
+			return
+		}
+	}
+
+	// TODO(e.burkov):  Investigate and perhaps check other ports.
+	if !webCheckPortAvailable(req.PortHTTPS) {
+		aghhttp.Error(
+			r,
+			w,
+			http.StatusBadRequest,
+			"port %d is not available, cannot enable https on it",
+			req.PortHTTPS,
+		)
+
+		return
+	}
+
+	resp := &tlsConfigResp{
+		tlsConfigStatus:  &tlsConfigStatus{},
+		tlsConfiguration: &req.tlsConfiguration,
+	}
+	err = loadTLSConf(resp.tlsConfiguration, resp.tlsConfigStatus)
+	if err != nil {
+		marshalTLS(w, r, resp)
+
+		return
+	}
+
+	restartRequired := m.setConf(resp)
+	onConfigModified()
+
+	err = reconfigureDNSServer()
+	if err != nil {
+		aghhttp.Error(r, w, http.StatusInternalServerError, "%s", err)
+
+		return
+	}
+
+	resp.tlsConfiguration = m.confForEncoding()
+	marshalTLS(w, r, resp)
+	if f, ok := w.(http.Flusher); ok {
+		f.Flush()
+	}
+
+	// The background context is used because the TLSConfigChanged wraps context
+	// with timeout on its own and shuts down the server, which handles current
+	// request. It is also should be done in a separate goroutine due to the
+	// same reason.
+	if restartRequired {
+		go func() {
+			Context.web.TLSConfigChanged(context.Background(), resp.tlsConfiguration)
+		}()
+	}
+}
+
+// setConf sets the necessary values from the new configuration.
+func (m *tlsManager) setConf(newConf *tlsConfigResp) (restartRequired bool) {
+	m.mu.Lock()
+	defer m.mu.Unlock()
+
+	// Reset the DNSCrypt data before comparing, since we currently do not
+	// accept these from the frontend.
+	//
+	// TODO(a.garipov): Define a custom comparer for dnsforward.TLSConfig.
+	newConf.DNSCryptConfigFile = m.conf.DNSCryptConfigFile
+	newConf.PortDNSCrypt = m.conf.PortDNSCrypt
+	if !cmp.Equal(m.conf, newConf, cmp.AllowUnexported(dnsforward.TLSConfig{})) {
+		log.Info("tls: config has changed, restarting https server")
+		restartRequired = true
+	} else {
+		log.Info("tls: config has not changed")
+	}
+
+	// Do not just write "m.conf = *newConf.tlsConfiguration", because all other
+	// members of m.conf must be preserved.
+	m.conf.Enabled = newConf.Enabled
+	m.conf.ServerName = newConf.ServerName
+	m.conf.ForceHTTPS = newConf.ForceHTTPS
+	m.conf.PortHTTPS = newConf.PortHTTPS
+	m.conf.PortDNSOverTLS = newConf.PortDNSOverTLS
+	m.conf.PortDNSOverQUIC = newConf.PortDNSOverQUIC
+
+	m.conf.CertificateChain = newConf.CertificateChain
+	m.conf.CertificatePath = newConf.CertificatePath
+	m.conf.CertificateChainData = newConf.CertificateChainData
+	m.conf.PrivateKey = newConf.PrivateKey
+	m.conf.PrivateKeyPath = newConf.PrivateKeyPath
+	m.conf.PrivateKeyData = newConf.PrivateKeyData
+
+	m.setCertFileTime()
+
+	m.status = newConf.tlsConfigStatus
+
+	return restartRequired
+}
+
+// marshalTLS handles Base64-encoded certificates transparently.
+func marshalTLS(w http.ResponseWriter, r *http.Request, conf *tlsConfigResp) {
+	if conf.CertificateChain != "" {
+		encoded := base64.StdEncoding.EncodeToString([]byte(conf.CertificateChain))
+		conf.CertificateChain = encoded
+	}
+
+	if conf.PrivateKey != "" {
+		conf.PrivateKeySaved = true
+		conf.PrivateKey = ""
+	}
+
+	_ = aghhttp.WriteJSONResponse(w, r, conf)
+}
+
+// unmarshalTLS handles Base64-encoded certificates transparently.
+func unmarshalTLS(r *http.Request) (req *tlsConfigReq, err error) {
+	req = &tlsConfigReq{}
+	err = json.NewDecoder(r.Body).Decode(req)
+	if err != nil {
+		return nil, fmt.Errorf("parsing tls config: %w", err)
+	}
+
+	if req.CertificateChain != "" {
+		var cert []byte
+		cert, err = base64.StdEncoding.DecodeString(req.CertificateChain)
+		if err != nil {
+			return nil, fmt.Errorf("failed to base64-decode certificate chain: %w", err)
+		}
+
+		req.CertificateChain = string(cert)
+		if req.CertificatePath != "" {
+			return nil, fmt.Errorf("certificate data and file can't be set together")
+		}
+	}
+
+	if req.PrivateKey != "" {
+		var key []byte
+		key, err = base64.StdEncoding.DecodeString(req.PrivateKey)
+		if err != nil {
+			return nil, fmt.Errorf("failed to base64-decode private key: %w", err)
+		}
+
+		req.PrivateKey = string(key)
+		if req.PrivateKeyPath != "" {
+			return nil, fmt.Errorf("private key data and file can't be set together")
+		}
+	}
+
+	return req, nil
+}
+
+// registerWebHandlers registers HTTP handlers for TLS configuration.
+func (m *tlsManager) registerWebHandlers() {
+	httpRegister(http.MethodGet, "/control/tls/status", m.handleTLSStatus)
+	httpRegister(http.MethodPost, "/control/tls/configure", m.handleTLSConfigure)
+	httpRegister(http.MethodPost, "/control/tls/validate", m.handleTLSValidate)
+}

internal/home/web.go

@@ -143,7 +143,7 @@ func webCheckPortAvailable(port int) (ok bool) {
 
 // TLSConfigChanged updates the TLS configuration and restarts the HTTPS server
 // if necessary.
-func (web *Web) TLSConfigChanged(ctx context.Context, tlsConf tlsConfigSettings) {
+func (web *Web) TLSConfigChanged(ctx context.Context, tlsConf *tlsConfiguration) {
 	log.Debug("web: applying new tls configuration")
 	web.conf.PortHTTPS = tlsConf.PortHTTPS
 	web.forceHTTPS = (tlsConf.ForceHTTPS && tlsConf.Enabled && tlsConf.PortHTTPS != 0)