diff --git a/ReadMe.md b/ReadMe.md
index 8cd0972..164179b 100644
--- a/ReadMe.md
+++ b/ReadMe.md
@@ -519,8 +519,8 @@ https://github.com/pymumu/smartdns/releases
|conf-file|附加配置文件|无|文件路径|conf-file /etc/smartdns/smartdns.more.conf
|server|上游UDP DNS|无|可重复
`[ip][:port]`:服务器IP,端口可选。
`[-blacklist-ip]`:blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。
`[-whitelist-ip]`:whitelist-ip参数指定仅接受whitelist-ip中配置IP范围。
`[-group [group] ...]`:DNS服务器所属组,比如office, foreign,和nameserver配套使用。
`[-exclude-default-group]`:将DNS服务器从默认组中排除| server 8.8.8.8:53 -blacklist-ip -group g1
|server-tcp|上游TCP DNS|无|可重复
`[ip][:port]`:服务器IP,端口可选。
`[-blacklist-ip]`:blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。
`[-whitelist-ip]`:whitelist-ip参数指定仅接受whitelist-ip中配置IP范围。
`[-group [group] ...]`:DNS服务器所属组,比如office, foreign,和nameserver配套使用。
`[-exclude-default-group]`:将DNS服务器从默认组中排除| server-tcp 8.8.8.8:53
-|server-tls|上游TLS DNS|无|可重复
`[ip][:port]`:服务器IP,端口可选。
`[-spki-pin [sha256-pin]]`: TLS合法性校验SPKI值,base64编码的sha256 SPKI pin值
`[-host-name]`:TLS SNI名称。
`[-tls-host-verify]`: TLS证书主机名校验。
`[-blacklist-ip]`:blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。
`[-whitelist-ip]`:whitelist-ip参数指定仅接受whitelist-ip中配置IP范围。
`[-group [group] ...]`:DNS服务器所属组,比如office, foreign,和nameserver配套使用。
`[-exclude-default-group]`:将DNS服务器从默认组中排除| server-tls 8.8.8.8:853
-|server-https|上游HTTPS DNS|无|可重复
`https://[host][:port]/path`:服务器IP,端口可选。
`[-spki-pin [sha256-pin]]`: TLS合法性校验SPKI值,base64编码的sha256 SPKI pin值
`[-host-name]`:TLS SNI名称
`[-http-host]`:http协议头主机名。
`[-tls-host-verify]`: TLS证书主机名校验。
`[-blacklist-ip]`:blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。
`[-whitelist-ip]`:whitelist-ip参数指定仅接受whitelist-ip中配置IP范围。
`[-group [group] ...]`:DNS服务器所属组,比如office, foreign,和nameserver配套使用。
`[-exclude-default-group]`:将DNS服务器从默认组中排除| server-https https://cloudflare-dns.com/dns-query
+|server-tls|上游TLS DNS|无|可重复
`[ip][:port]`:服务器IP,端口可选。
`[-spki-pin [sha256-pin]]`: TLS合法性校验SPKI值,base64编码的sha256 SPKI pin值
`[-host-name]`:TLS SNI名称。
`[-tls-host-verify]`: TLS证书主机名校验。
`-no-check-certificate:`:跳过证书校验。
`[-blacklist-ip]`:blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。
`[-whitelist-ip]`:whitelist-ip参数指定仅接受whitelist-ip中配置IP范围。
`[-group [group] ...]`:DNS服务器所属组,比如office, foreign,和nameserver配套使用。
`[-exclude-default-group]`:将DNS服务器从默认组中排除| server-tls 8.8.8.8:853
+|server-https|上游HTTPS DNS|无|可重复
`https://[host][:port]/path`:服务器IP,端口可选。
`[-spki-pin [sha256-pin]]`: TLS合法性校验SPKI值,base64编码的sha256 SPKI pin值
`[-host-name]`:TLS SNI名称
`[-http-host]`:http协议头主机名。
`[-tls-host-verify]`: TLS证书主机名校验。
`-no-check-certificate:`:跳过证书校验。
`[-blacklist-ip]`:blacklist-ip参数指定使用blacklist-ip配置IP过滤结果。
`[-whitelist-ip]`:whitelist-ip参数指定仅接受whitelist-ip中配置IP范围。
`[-group [group] ...]`:DNS服务器所属组,比如office, foreign,和nameserver配套使用。
`[-exclude-default-group]`:将DNS服务器从默认组中排除| server-https https://cloudflare-dns.com/dns-query
|speed-check-mode|测速模式选择|无|[ping\|tcp:[80]\|none]|speed-check-mode ping,tcp:80
|address|指定域名IP地址|无|address /domain/[ip\|-\|-4\|-6\|#\|#4\|#6]
`-`表示忽略
`#`表示返回SOA
`4`表示IPV4
`6`表示IPV6| address /www.example.com/1.2.3.4
|nameserver|指定域名使用server组解析|无|nameserver /domain/[group\|-], `group`为组名,`-`表示忽略此规则,配套server中的`-group`参数使用| nameserver /www.example.com/office
@@ -537,6 +537,8 @@ https://github.com/pymumu/smartdns/releases
|serve-expired-ttl|过期缓存服务最长超时时间|0|秒,0:表示停用超时,> 0表示指定的超时的秒数|serve-expired-ttl 0
|dualstack-ip-selection|双栈IP优选|no|[yes\|no]|dualstack-ip-selection yes
|dualstack-ip-selection-threshold|双栈IP优选阈值|30ms|毫秒|dualstack-ip-selection-threshold [0-1000]
+|ca-file|证书文件|/etc/ssl/certs/ca-certificates.crt|路径|ca-file /etc/ssl/certs/ca-certificates.crt
+|ca-path|证书文件路径|/etc/ssl/certs|路径|ca-path /etc/ssl/certs
## FAQ
diff --git a/ReadMe_en.md b/ReadMe_en.md
index 9d97682..bc812cc 100755
--- a/ReadMe_en.md
+++ b/ReadMe_en.md
@@ -513,8 +513,8 @@ Note: Merlin firmware is derived from ASUS firmware and can theoretically be use
|conf-file|additional conf file|None|File path|conf-file /etc/smartdns/smartdns.more.conf
|server|Upstream UDP DNS server|None|Repeatable
`[ip][:port]`: Server IP, port optional.
`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip".
`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted.
`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver.
`[-exclude-default-group]`: Exclude DNS servers from the default group| server 8.8.8.8:53 -blacklist-ip
|server-tcp|Upstream TCP DNS server|None|Repeatable
`[ip][:port]`: Server IP, port optional.
`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip".
`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted.
`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver.
`[-exclude-default-group]`: Exclude DNS servers from the default group| server-tcp 8.8.8.8:53
-|server-tls|Upstream TLS DNS server|None|Repeatable
`[ip][:port]`: Server IP, port optional.
`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash
`[-host-name]`:TLS Server name.
`[-tls-host-verify]`: TLS cert hostname to verify.
`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip".
`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted.
`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver.
`[-exclude-default-group]`: Exclude DNS servers from the default group| server-tls 8.8.8.8:853
-|server-https|Upstream HTTPS DNS server|None|Repeatable
`https://[host][:port]/path`: Server IP, port optional.
`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash
`[-host-name]`:TLS Server name
`[-http-host]`:http header host.
`[-tls-host-verify]`: TLS cert hostname to verify.
`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip".
`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted.
`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver.
`[-exclude-default-group]`: Exclude DNS servers from the default group| server-https https://cloudflare-dns.com/dns-query
+|server-tls|Upstream TLS DNS server|None|Repeatable
`[ip][:port]`: Server IP, port optional.
`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash
`[-host-name]`:TLS Server name.
`[-tls-host-verify]`: TLS cert hostname to verify.
`-no-check-certificate:`: No check certificate.
`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip".
`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted.
`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver.
`[-exclude-default-group]`: Exclude DNS servers from the default group| server-tls 8.8.8.8:853
+|server-https|Upstream HTTPS DNS server|None|Repeatable
`https://[host][:port]/path`: Server IP, port optional.
`[-spki-pin [sha256-pin]]`: TLS verify SPKI value, a base64 encoded SHA256 hash
`[-host-name]`:TLS Server name
`[-http-host]`:http header host.
`[-tls-host-verify]`: TLS cert hostname to verify.
`-no-check-certificate:`: No check certificate.
`[-blacklist-ip]`: The "-blacklist-ip" parameter is to filtering IPs which is configured by "blacklist-ip".
`[-whitelist-ip]`: whitelist-ip parameter specifies that only the IP range configured in whitelist-ip is accepted.
`[-group [group] ...]`: The group to which the DNS server belongs, such as office, foreign, use with nameserver.
`[-exclude-default-group]`: Exclude DNS servers from the default group| server-https https://cloudflare-dns.com/dns-query
|speed-check-mode|Speed mode|None|[ping\|tcp:[80]\|none]|speed-check-mode ping,tcp:443
|address|Domain IP address|None|address /domain/[ip\|-\|-4\|-6\|#\|#4\|#6], `-` for ignore, `#` for return SOA, `4` for IPV4, `6` for IPV6| address /www.example.com/1.2.3.4
|nameserver|To query domain with specific server group|None|nameserver /domain/[group\|-], `group` is the group name, `-` means ignore this rule, use the `-group` parameter in the related server|nameserver /www.example.com/office
@@ -531,6 +531,8 @@ Note: Merlin firmware is derived from ASUS firmware and can theoretically be use
|serve-expired-ttl|Cache serve expired limite TTL|0|second,0:disable,> 0 seconds after expiration|serve-expired-ttl 0
|dualstack-ip-selection|Dualstack ip selection|no|[yes\|no]|dualstack-ip-selection yes
|dualstack-ip-selection-threshold|Dualstack ip select threadhold|30ms|millisecond|dualstack-ip-selection-threshold [0-1000]
+|ca-file|certificate file|/etc/ssl/certs/ca-certificates.crt|path|ca-file /etc/ssl/certs/ca-certificates.crt
+|ca-path|certificates path|/etc/ssl/certs|path|ca-path /etc/ssl/certs
## FAQ
diff --git a/etc/smartdns/smartdns.conf b/etc/smartdns/smartdns.conf
index ded7f86..c5af23f 100644
--- a/etc/smartdns/smartdns.conf
+++ b/etc/smartdns/smartdns.conf
@@ -112,6 +112,14 @@ log-level info
# audit-size 128k
# audit-num 2
+# certificate file
+# ca-file [file]
+# ca-file /etc/ssl/certs/ca-certificates.crt
+
+# certificate path
+# ca-path [path]
+# ca-path /etc/ss/certs
+
# remote udp dns server list
# server [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-check-edns] [-group [group] ...] [-exclude-default-group]
# default port is 53
@@ -130,8 +138,9 @@ log-level info
# remote tls dns server list
# server-tls [IP]:[PORT] [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
# -spki-pin: TLS spki pin to verify.
-# -tls-host-check: cert hostname to verify.
+# -tls-host-verify: cert hostname to verify.
# -host-name: TLS sni hostname.
+# -no-check-certificate: no check certificate.
# Get SPKI with this command:
# echo | openssl s_client -connect '[ip]:853' | openssl x509 -pubkey -noout | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
# default port is 853
@@ -141,9 +150,10 @@ log-level info
# remote https dns server list
# server-https https://[host]:[port]/path [-blacklist-ip] [-whitelist-ip] [-spki-pin [sha256-pin]] [-group [group] ...] [-exclude-default-group]
# -spki-pin: TLS spki pin to verify.
-# -tls-host-check: cert hostname to verify.
+# -tls-host-verify: cert hostname to verify.
# -host-name: TLS sni hostname.
# -http-host: http host.
+# -no-check-certificate: no check certificate.
# default port is 443
# server-https https://cloudflare-dns.com/dns-query
diff --git a/package/luci-compat/files/luci/model/cbi/smartdns/upstream.lua b/package/luci-compat/files/luci/model/cbi/smartdns/upstream.lua
index a542ca6..f54ae23 100644
--- a/package/luci-compat/files/luci/model/cbi/smartdns/upstream.lua
+++ b/package/luci-compat/files/luci/model/cbi/smartdns/upstream.lua
@@ -78,6 +78,16 @@ o.rempty = true
o:depends("type", "tls")
o:depends("type", "https")
+---- certificate verify
+o = s:option(Flag, "no_check_certificate", translate("No check certificate"), translate("Do not check certificate."))
+o.rmempty = false
+o.default = o.disabled
+o.cfgvalue = function(...)
+ return Flag.cfgvalue(...) or "0"
+end
+o.depends("type", "tls")
+o.depends("type", "https")
+
---- SNI host name
o = s:option(Value, "host_name", translate("TLS SNI name"), translate("Sets the server name indication for query."))
o.default = ""
diff --git a/package/luci/files/luci/htdocs/luci-static/resources/view/smartdns/smartdns.js b/package/luci/files/luci/htdocs/luci-static/resources/view/smartdns/smartdns.js
index e9e6b52..59af2d6 100644
--- a/package/luci/files/luci/htdocs/luci-static/resources/view/smartdns/smartdns.js
+++ b/package/luci/files/luci/htdocs/luci-static/resources/view/smartdns/smartdns.js
@@ -390,6 +390,15 @@ return L.view.extend({
o.depends("type", "tls")
o.depends("type", "https")
+ // certificate verify
+ o = s.taboption("advanced", form.Flag, "no_check_certificate", _("No check certificate"),
+ _("Do not check certificate."))
+ o.rmempty = false
+ o.default = o.disabled
+ o.modalonly = true;
+ o.depends("type", "tls")
+ o.depends("type", "https")
+
// SNI host name
o = s.taboption("advanced", form.Value, "host_name", _("TLS SNI name"),
_("Sets the server name indication for query."))
diff --git a/package/openwrt/files/etc/init.d/smartdns b/package/openwrt/files/etc/init.d/smartdns
index f0d6698..d04a36a 100644
--- a/package/openwrt/files/etc/init.d/smartdns
+++ b/package/openwrt/files/etc/init.d/smartdns
@@ -156,6 +156,7 @@ load_server()
config_get type "$section" "type" "udp"
config_get ip "$section" "ip" ""
config_get tls_host_verify "$section" "tls_host_verify" ""
+ config_get no_check_certificate "$section" "no_check_certificate" ""
config_get host_name "$section" "host_name" ""
config_get http_host "$section" "http_host" ""
config_get server_group "$section" "server_group" ""
@@ -186,6 +187,7 @@ load_server()
fi
[ -z "$tls_host_verify" ] || ADDITIONAL_ARGS="$ADDITIONAL_ARGS -tls-host-verify $tls_host_verify"
+ [ -z "$no_check_certificate" ] || ADDITIONAL_ARGS="$ADDITIONAL_ARGS -no-check-certificate"
[ -z "$host_name" ] || ADDITIONAL_ARGS="$ADDITIONAL_ARGS -host-name $host_name"
[ -z "$http_host" ] || ADDITIONAL_ARGS="$ADDITIONAL_ARGS -http-host $http_host"
[ -z "$server_group" ] || ADDITIONAL_ARGS="$ADDITIONAL_ARGS -group $server_group"
diff --git a/src/dns_client.c b/src/dns_client.c
index 2955992..2a5f349 100644
--- a/src/dns_client.c
+++ b/src/dns_client.c
@@ -107,6 +107,7 @@ struct dns_server_info {
SSL *ssl;
SSL_CTX *ssl_ctx;
SSL_SESSION *ssl_session;
+ char skip_check_cert;
dns_server_status status;
struct dns_server_buff send_buff;
@@ -714,6 +715,39 @@ static char *_dns_client_server_get_spki(struct dns_server_info *server_info, in
return spki;
}
+static int _dns_client_set_trusted_cert(SSL_CTX *ssl_ctx)
+{
+ char *cafile = NULL;
+ char *capath = NULL;
+ int cert_path_set = 0;
+
+ if (dns_conf_ca_file[0]) {
+ cafile = dns_conf_ca_file;
+ }
+
+ if (dns_conf_ca_path[0]) {
+ capath = dns_conf_ca_path;
+ }
+
+ if (cafile == NULL && capath == NULL) {
+ if (SSL_CTX_set_default_verify_paths(ssl_ctx)) {
+ cafile = "/etc/ssl/certs/ca-certificates.crt";
+ capath = "/etc/ssl/certs";
+ } else {
+ cert_path_set = 1;
+ }
+ }
+
+ if (cert_path_set == 0) {
+ if (!SSL_CTX_load_verify_locations(ssl_ctx, cafile, capath)) {
+ tlog(TLOG_WARN, "load certificate from %s:%s failed.", cafile, capath);
+ return -1;
+ }
+ }
+
+ return 0;
+}
+
/* add dns server information */
static int _dns_client_server_add(char *server_ip, char *server_host, int port, dns_server_type_t server_type,
struct client_dns_server_flags *flags)
@@ -724,6 +758,7 @@ static int _dns_client_server_add(char *server_ip, char *server_host, int port,
int ttl = 0;
char port_s[8];
int sock_type;
+ char skip_check_cert = 0;
switch (server_type) {
case DNS_SERVER_UDP: {
@@ -748,11 +783,13 @@ static int _dns_client_server_add(char *server_ip, char *server_host, int port,
}
}
sock_type = SOCK_STREAM;
+ skip_check_cert = flag_https->skip_check_cert;
} break;
case DNS_SERVER_TLS: {
struct client_dns_server_flag_tls *flag_tls = &flags->tls;
spki_data_len = flag_tls->spi_len;
sock_type = SOCK_STREAM;
+ skip_check_cert = flag_tls->skip_check_cert;
} break;
case DNS_SERVER_TCP:
sock_type = SOCK_STREAM;
@@ -798,6 +835,7 @@ static int _dns_client_server_add(char *server_ip, char *server_host, int port,
server_info->status = DNS_SERVER_STATUS_INIT;
server_info->ttl = ttl;
server_info->ttl_range = 0;
+ server_info->skip_check_cert = skip_check_cert;
memcpy(&server_info->flags, flags, sizeof(server_info->flags));
/* exclude this server from default group */
@@ -815,6 +853,11 @@ static int _dns_client_server_add(char *server_ip, char *server_host, int port,
#else
server_info->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
#endif
+ if (_dns_client_set_trusted_cert(server_info->ssl_ctx) != 0) {
+ tlog(TLOG_WARN, "disable check certificate for %s.", server_info->ip);
+ server_info->skip_check_cert = 1;
+ }
+
if (server_info->ssl_ctx == NULL) {
tlog(TLOG_ERROR, "init ssl failed.");
goto errout;
@@ -2078,6 +2121,14 @@ static int _dns_client_tls_verify(struct dns_server_info *server_info)
return -1;
}
+ if (server_info->skip_check_cert == 0) {
+ long res = SSL_get_verify_result(server_info->ssl);
+ if (res != X509_V_OK) {
+ tlog(TLOG_WARN, "peer server certificate verify failed.");
+ goto errout;
+ }
+ }
+
cert_name = X509_get_subject_name(cert);
if (cert_name == NULL) {
tlog(TLOG_ERROR, "get subject name failed.");
@@ -2094,7 +2145,7 @@ static int _dns_client_tls_verify(struct dns_server_info *server_info)
/* check tls host */
tls_host_verify = _dns_client_server_get_tls_host_verify(server_info);
if (tls_host_verify) {
- if (_dns_client_tls_matchName(peer_CN, tls_host_verify, strnlen(tls_host_verify, DNS_MAX_CNAME_LEN)) != 0) {
+ if (_dns_client_tls_matchName(tls_host_verify, peer_CN, strnlen(peer_CN, DNS_MAX_CNAME_LEN)) != 0) {
tlog(TLOG_INFO, "server %s CN is invalid, peer CN: %s, expect CN: %s", server_info->ip, peer_CN,
tls_host_verify);
goto errout;
diff --git a/src/dns_client.h b/src/dns_client.h
index 40e890c..c04a5d8 100644
--- a/src/dns_client.h
+++ b/src/dns_client.h
@@ -70,6 +70,7 @@ struct client_dns_server_flag_tls {
int spi_len;
char hostname[DNS_MAX_CNAME_LEN];
char tls_host_verify[DNS_MAX_CNAME_LEN];
+ char skip_check_cert;
};
struct client_dns_server_flag_https {
@@ -79,6 +80,7 @@ struct client_dns_server_flag_https {
char httphost[DNS_MAX_CNAME_LEN];
char path[DNS_MAX_CNAME_LEN];
char tls_host_verify[DNS_MAX_CNAME_LEN];
+ char skip_check_cert;
};
struct client_dns_server_flags {
diff --git a/src/dns_conf.c b/src/dns_conf.c
index 2deb868..6812753 100644
--- a/src/dns_conf.c
+++ b/src/dns_conf.c
@@ -68,6 +68,10 @@ char dns_conf_log_file[DNS_MAX_PATH];
size_t dns_conf_log_size = 1024 * 1024;
int dns_conf_log_num = 8;
+/* CA file */
+char dns_conf_ca_file[DNS_MAX_PATH];
+char dns_conf_ca_path[DNS_MAX_PATH];
+
/* auditing */
int dns_conf_audit_enable = 0;
int dns_conf_audit_log_SOA;
@@ -246,6 +250,7 @@ static int _config_server(int argc, char *argv[], dns_server_type_t type, int de
{"spki-pin", required_argument, NULL, 'p'}, /* check SPKI pin */
{"host-name", required_argument, NULL, 'h'}, /* host name */
{"http-host", required_argument, NULL, 'H'}, /* http host */
+ {"no-check-certificate", no_argument, NULL, 'N'}, /* do not check certificate */
{"tls-host-verify", required_argument, NULL, 'V' }, /* verify tls hostname */
{"group", required_argument, NULL, 'g'}, /* add to group */
{"exclude-default-group", no_argument, NULL, 'E'}, /* ecluse this from default group */
@@ -340,6 +345,10 @@ static int _config_server(int argc, char *argv[], dns_server_type_t type, int de
safe_strncpy(server->tls_host_verify, optarg, DNS_MAX_CNAME_LEN);
break;
}
+ case 'N': {
+ server->skip_check_cert = 1;
+ break;
+ }
default:
break;
}
@@ -1370,6 +1379,8 @@ static struct config_item _config_item[] = {
CONF_CUSTOM("ignore-ip", _conf_ip_ignore, NULL),
CONF_CUSTOM("edns-client-subnet", _conf_edns_client_subnet, NULL),
CONF_CUSTOM("domain-rules", _conf_domain_rules, NULL),
+ CONF_STRING("ca-file", (char *)&dns_conf_ca_file, DNS_MAX_PATH),
+ CONF_STRING("ca-path", (char *)&dns_conf_ca_path, DNS_MAX_PATH),
CONF_CUSTOM("conf-file", config_addtional_file, NULL),
CONF_END(),
};
diff --git a/src/dns_conf.h b/src/dns_conf.h
index 1166375..9658111 100644
--- a/src/dns_conf.h
+++ b/src/dns_conf.h
@@ -145,6 +145,7 @@ struct dns_servers {
unsigned int server_flag;
int ttl;
dns_server_type_t type;
+ char skip_check_cert;
char spki[DNS_MAX_SPKI_LEN];
char hostname[DNS_MAX_CNAME_LEN];
char httphost[DNS_MAX_CNAME_LEN];
@@ -211,6 +212,9 @@ extern char dns_conf_log_file[DNS_MAX_PATH];
extern size_t dns_conf_log_size;
extern int dns_conf_log_num;
+extern char dns_conf_ca_file[DNS_MAX_PATH];
+extern char dns_conf_ca_path[DNS_MAX_PATH];
+
extern struct dns_domain_check_order dns_conf_check_order;
extern struct dns_server_groups dns_conf_server_groups[DNS_NAX_GROUP_NUMBER];
diff --git a/src/fast_ping.c b/src/fast_ping.c
index 413c3c9..54352bc 100644
--- a/src/fast_ping.c
+++ b/src/fast_ping.c
@@ -1026,7 +1026,7 @@ struct ping_host_struct *fast_ping_start(PING_TYPE type, const char *host, int c
uint32_t addrkey;
char ip_str[PING_MAX_HOSTLEN];
int port = -1;
- FAST_PING_TYPE ping_type;
+ FAST_PING_TYPE ping_type = FAST_PING_END;
unsigned int seed;
int ret = 0;
diff --git a/src/smartdns.c b/src/smartdns.c
index 6132a37..52674d3 100644
--- a/src/smartdns.c
+++ b/src/smartdns.c
@@ -160,6 +160,7 @@ static int _smartdns_add_servers(void)
safe_strncpy(flag_http->httphost, dns_conf_servers[i].httphost, sizeof(flag_http->httphost));
safe_strncpy(flag_http->tls_host_verify, dns_conf_servers[i].tls_host_verify,
sizeof(flag_http->tls_host_verify));
+ flag_http->skip_check_cert = dns_conf_servers[i].skip_check_cert;
} break;
case DNS_SERVER_TLS: {
struct client_dns_server_flag_tls *flag_tls = &flags.tls;
@@ -167,6 +168,8 @@ static int _smartdns_add_servers(void)
safe_strncpy(flag_tls->hostname, dns_conf_servers[i].hostname, sizeof(flag_tls->hostname));
safe_strncpy(flag_tls->tls_host_verify, dns_conf_servers[i].tls_host_verify,
sizeof(flag_tls->tls_host_verify));
+ flag_tls->skip_check_cert = dns_conf_servers[i].skip_check_cert;
+
} break;
case DNS_SERVER_TCP:
break;