Unofficially support DoH/ODoH over HTTP
This commit is contained in:
Frank Denis
parent
87571d4a7f
commit
8bea679e7b
|
|
@ -854,10 +854,17 @@ func _fetchODoHTargetInfo(proxy *Proxy, name string, stamp stamps.ServerStamp, i
|
|||
if msg.Rcode != dns.RcodeNameError {
|
||||
dlog.Criticalf("[%s] may be a lying resolver", name)
|
||||
}
|
||||
|
||||
protocol := tls.NegotiatedProtocol
|
||||
if len(protocol) == 0 {
|
||||
protocol = "http/1.x"
|
||||
protocol := "http"
|
||||
tlsVersion := uint16(0)
|
||||
tlsCipherSuite := uint16(0)
|
||||
if tls != nil {
|
||||
protocol = tls.NegotiatedProtocol
|
||||
if len(protocol) == 0 {
|
||||
protocol = "http/1.x"
|
||||
} else {
|
||||
tlsVersion = tls.Version
|
||||
tlsCipherSuite = tls.CipherSuite
|
||||
}
|
||||
}
|
||||
if strings.HasPrefix(protocol, "http/1.") {
|
||||
dlog.Warnf("[%s] does not support HTTP/2", name)
|
||||
|
|
@ -865,37 +872,39 @@ func _fetchODoHTargetInfo(proxy *Proxy, name string, stamp stamps.ServerStamp, i
|
|||
dlog.Infof(
|
||||
"[%s] TLS version: %x - Protocol: %v - Cipher suite: %v",
|
||||
name,
|
||||
tls.Version,
|
||||
tlsVersion,
|
||||
protocol,
|
||||
tls.CipherSuite,
|
||||
tlsCipherSuite,
|
||||
)
|
||||
showCerts := proxy.showCerts
|
||||
found := false
|
||||
var wantedHash [32]byte
|
||||
for _, cert := range tls.PeerCertificates {
|
||||
h := sha256.Sum256(cert.RawTBSCertificate)
|
||||
if showCerts {
|
||||
dlog.Noticef("Advertised relay cert: [%s] [%x]", cert.Subject, h)
|
||||
} else {
|
||||
dlog.Debugf("Advertised relay cert: [%s] [%x]", cert.Subject, h)
|
||||
}
|
||||
for _, hash := range stamp.Hashes {
|
||||
if len(hash) == len(wantedHash) {
|
||||
copy(wantedHash[:], hash)
|
||||
if h == wantedHash {
|
||||
found = true
|
||||
break
|
||||
if tls != nil {
|
||||
for _, cert := range tls.PeerCertificates {
|
||||
h := sha256.Sum256(cert.RawTBSCertificate)
|
||||
if showCerts {
|
||||
dlog.Noticef("Advertised relay cert: [%s] [%x]", cert.Subject, h)
|
||||
} else {
|
||||
dlog.Debugf("Advertised relay cert: [%s] [%x]", cert.Subject, h)
|
||||
}
|
||||
for _, hash := range stamp.Hashes {
|
||||
if len(hash) == len(wantedHash) {
|
||||
copy(wantedHash[:], hash)
|
||||
if h == wantedHash {
|
||||
found = true
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
if found {
|
||||
break
|
||||
}
|
||||
}
|
||||
if found {
|
||||
break
|
||||
if !found && len(stamp.Hashes) > 0 {
|
||||
dlog.Criticalf("[%s] Certificate hash [%x] not found", name, wantedHash)
|
||||
return ServerInfo{}, fmt.Errorf("Certificate hash not found")
|
||||
}
|
||||
}
|
||||
if !found && len(stamp.Hashes) > 0 {
|
||||
dlog.Criticalf("[%s] Certificate hash [%x] not found", name, wantedHash)
|
||||
return ServerInfo{}, fmt.Errorf("Certificate hash not found")
|
||||
}
|
||||
if len(serverResponse) < MinDNSPacketSize || len(serverResponse) > MaxDNSPacketSize ||
|
||||
serverResponse[0] != 0xca || serverResponse[1] != 0xfe || serverResponse[4] != 0x00 || serverResponse[5] != 0x01 {
|
||||
dlog.Info("Webserver returned an unexpected response")
|
||||
|
|
|
|||
Loading…
Reference in New Issue