Implement -test to check certificates expiration
This commit is contained in:
parent
ff0c612e79
commit
2158674d17
|
@ -136,6 +136,7 @@ func ConfigLoad(proxy *Proxy, svcFlag *string) error {
|
||||||
listAll := flag.Bool("list-all", false, "print the complete list of available resolvers, ignoring filters")
|
listAll := flag.Bool("list-all", false, "print the complete list of available resolvers, ignoring filters")
|
||||||
jsonOutput := flag.Bool("json", false, "output list as JSON")
|
jsonOutput := flag.Bool("json", false, "output list as JSON")
|
||||||
check := flag.Bool("check", false, "check the configuration file and exit")
|
check := flag.Bool("check", false, "check the configuration file and exit")
|
||||||
|
testGracePeriod := flag.Int("test", 0, "test that certificates of chosen servers are not going to expire before that number of minutes")
|
||||||
flag.Parse()
|
flag.Parse()
|
||||||
if *svcFlag == "stop" || *svcFlag == "uninstall" {
|
if *svcFlag == "stop" || *svcFlag == "uninstall" {
|
||||||
return nil
|
return nil
|
||||||
|
@ -268,6 +269,10 @@ func ConfigLoad(proxy *Proxy, svcFlag *string) error {
|
||||||
}
|
}
|
||||||
proxy.allWeeklyRanges = allWeeklyRanges
|
proxy.allWeeklyRanges = allWeeklyRanges
|
||||||
|
|
||||||
|
if testGracePeriod != nil && *testGracePeriod > 0 {
|
||||||
|
proxy.testGracePeriod = testGracePeriod
|
||||||
|
}
|
||||||
|
|
||||||
if *listAll {
|
if *listAll {
|
||||||
config.ServerNames = nil
|
config.ServerNames = nil
|
||||||
config.SourceRequireDNSSEC = false
|
config.SourceRequireDNSSEC = false
|
||||||
|
|
|
@ -95,6 +95,12 @@ func FetchCurrentDNSCryptCert(proxy *Proxy, serverName *string, proto string, pk
|
||||||
} else {
|
} else {
|
||||||
certInfo.ForwardSecurity = true
|
certInfo.ForwardSecurity = true
|
||||||
}
|
}
|
||||||
|
if proxy.testGracePeriod != nil {
|
||||||
|
if remaining := (tsEnd - now) / 60; uint32(*proxy.testGracePeriod) > remaining {
|
||||||
|
dlog.Fatalf("Certificate for [%v] is going to expire in %d minutes, before the grace period",
|
||||||
|
providerName, remaining)
|
||||||
|
}
|
||||||
|
}
|
||||||
if !proxy.certIgnoreTimestamp {
|
if !proxy.certIgnoreTimestamp {
|
||||||
if now > tsEnd || now < tsBegin {
|
if now > tsEnd || now < tsBegin {
|
||||||
dlog.Debugf("[%v] Certificate not valid at the current date", providerName)
|
dlog.Debugf("[%v] Certificate not valid at the current date", providerName)
|
||||||
|
|
|
@ -6,6 +6,7 @@ import (
|
||||||
"math/rand"
|
"math/rand"
|
||||||
"net"
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"os"
|
||||||
"sync/atomic"
|
"sync/atomic"
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
|
@ -52,6 +53,7 @@ type Proxy struct {
|
||||||
maxClients uint32
|
maxClients uint32
|
||||||
xTransport *XTransport
|
xTransport *XTransport
|
||||||
allWeeklyRanges *map[string]WeeklyRanges
|
allWeeklyRanges *map[string]WeeklyRanges
|
||||||
|
testGracePeriod *int
|
||||||
}
|
}
|
||||||
|
|
||||||
func (proxy *Proxy) StartProxy() {
|
func (proxy *Proxy) StartProxy() {
|
||||||
|
@ -83,6 +85,14 @@ func (proxy *Proxy) StartProxy() {
|
||||||
dlog.Fatal(err)
|
dlog.Fatal(err)
|
||||||
}
|
}
|
||||||
liveServers, err := proxy.serversInfo.refresh(proxy)
|
liveServers, err := proxy.serversInfo.refresh(proxy)
|
||||||
|
if proxy.testGracePeriod != nil {
|
||||||
|
if liveServers > 0 {
|
||||||
|
dlog.Noticef("%d certificates successfully checked", liveServers)
|
||||||
|
os.Exit(0)
|
||||||
|
} else {
|
||||||
|
dlog.Fatal("Unable to check servers certificates")
|
||||||
|
}
|
||||||
|
}
|
||||||
if liveServers > 0 {
|
if liveServers > 0 {
|
||||||
dlog.Noticef("dnscrypt-proxy is ready - live servers: %d", liveServers)
|
dlog.Noticef("dnscrypt-proxy is ready - live servers: %d", liveServers)
|
||||||
SystemDNotify()
|
SystemDNotify()
|
||||||
|
|
|
@ -286,6 +286,7 @@ func (serversInfo *ServersInfo) fetchDoHServerInfo(proxy *Proxy, name string, st
|
||||||
showCerts := len(os.Getenv("SHOW_CERTS")) > 0
|
showCerts := len(os.Getenv("SHOW_CERTS")) > 0
|
||||||
found := false
|
found := false
|
||||||
var wantedHash [32]byte
|
var wantedHash [32]byte
|
||||||
|
now := time.Now()
|
||||||
for _, cert := range tls.PeerCertificates {
|
for _, cert := range tls.PeerCertificates {
|
||||||
h := sha256.Sum256(cert.RawTBSCertificate)
|
h := sha256.Sum256(cert.RawTBSCertificate)
|
||||||
if showCerts {
|
if showCerts {
|
||||||
|
@ -293,6 +294,11 @@ func (serversInfo *ServersInfo) fetchDoHServerInfo(proxy *Proxy, name string, st
|
||||||
} else {
|
} else {
|
||||||
dlog.Debugf("Advertised cert: [%s] [%x]", cert.Subject, h)
|
dlog.Debugf("Advertised cert: [%s] [%x]", cert.Subject, h)
|
||||||
}
|
}
|
||||||
|
if proxy.testGracePeriod != nil {
|
||||||
|
if remaining := int(cert.NotAfter.Sub(now).Minutes()); *proxy.testGracePeriod > remaining {
|
||||||
|
dlog.Fatalf("Certificate [%s] for [%s] is going to expire before the grace period, in %d minutes", cert.Subject, name, remaining)
|
||||||
|
}
|
||||||
|
}
|
||||||
for _, hash := range stamp.hashes {
|
for _, hash := range stamp.hashes {
|
||||||
if len(hash) == len(wantedHash) {
|
if len(hash) == len(wantedHash) {
|
||||||
copy(wantedHash[:], hash)
|
copy(wantedHash[:], hash)
|
||||||
|
|
Loading…
Reference in New Issue