From 7f5d67881b6c6b4a2351fb4b5fe4fdc710de626d Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Mon, 5 Feb 2018 13:24:17 +0100
Subject: [PATCH] Add a super secret way to print cert hashes

Not so secret. The purpose is to avoid log pollution, while still
allowing people setting up DoH servers to quickly view the
certificate chain.
---
 dnscrypt-proxy/serversInfo.go | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/dnscrypt-proxy/serversInfo.go b/dnscrypt-proxy/serversInfo.go
index 93d5cb54..7ffab692 100644
--- a/dnscrypt-proxy/serversInfo.go
+++ b/dnscrypt-proxy/serversInfo.go
@@ -10,6 +10,7 @@ import (
 	"math/rand"
 	"net"
 	"net/url"
+	"os"
 	"strings"
 	"sync"
 	"time"
@@ -260,11 +261,16 @@ func (serversInfo *ServersInfo) fetchDoHServerInfo(proxy *Proxy, name string, st
 	if tls == nil || !tls.HandshakeComplete {
 		return ServerInfo{}, errors.New("TLS handshake failed")
 	}
+	showCerts := len(os.Getenv("SHOW_CERTS")) > 0
 	found := false
 	var wantedHash [32]byte
 	for _, cert := range tls.PeerCertificates {
 		h := sha256.Sum256(cert.RawTBSCertificate)
-		dlog.Debugf("Advertised cert: [%s] [%x]", cert.Subject, h)
+		if showCerts {
+			dlog.Infof("Advertised cert: [%s] [%x]", cert.Subject, h)
+		} else {
+			dlog.Debugf("Advertised cert: [%s] [%x]", cert.Subject, h)
+		}
 		for _, hash := range stamp.hashes {
 			if len(hash) == len(wantedHash) {
 				copy(wantedHash[:], hash)