Unofficially support DoH/ODoH over HTTP
This commit is contained in:
Frank Denis
parent
87571d4a7f
commit
8bea679e7b
|
|
@ -854,10 +854,17 @@ func _fetchODoHTargetInfo(proxy *Proxy, name string, stamp stamps.ServerStamp, i
|
||||||
if msg.Rcode != dns.RcodeNameError {
|
if msg.Rcode != dns.RcodeNameError {
|
||||||
dlog.Criticalf("[%s] may be a lying resolver", name)
|
dlog.Criticalf("[%s] may be a lying resolver", name)
|
||||||
}
|
}
|
||||||
|
protocol := "http"
|
||||||
protocol := tls.NegotiatedProtocol
|
tlsVersion := uint16(0)
|
||||||
if len(protocol) == 0 {
|
tlsCipherSuite := uint16(0)
|
||||||
protocol = "http/1.x"
|
if tls != nil {
|
||||||
|
protocol = tls.NegotiatedProtocol
|
||||||
|
if len(protocol) == 0 {
|
||||||
|
protocol = "http/1.x"
|
||||||
|
} else {
|
||||||
|
tlsVersion = tls.Version
|
||||||
|
tlsCipherSuite = tls.CipherSuite
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if strings.HasPrefix(protocol, "http/1.") {
|
if strings.HasPrefix(protocol, "http/1.") {
|
||||||
dlog.Warnf("[%s] does not support HTTP/2", name)
|
dlog.Warnf("[%s] does not support HTTP/2", name)
|
||||||
|
|
@ -865,37 +872,39 @@ func _fetchODoHTargetInfo(proxy *Proxy, name string, stamp stamps.ServerStamp, i
|
||||||
dlog.Infof(
|
dlog.Infof(
|
||||||
"[%s] TLS version: %x - Protocol: %v - Cipher suite: %v",
|
"[%s] TLS version: %x - Protocol: %v - Cipher suite: %v",
|
||||||
name,
|
name,
|
||||||
tls.Version,
|
tlsVersion,
|
||||||
protocol,
|
protocol,
|
||||||
tls.CipherSuite,
|
tlsCipherSuite,
|
||||||
)
|
)
|
||||||
showCerts := proxy.showCerts
|
showCerts := proxy.showCerts
|
||||||
found := false
|
found := false
|
||||||
var wantedHash [32]byte
|
var wantedHash [32]byte
|
||||||
for _, cert := range tls.PeerCertificates {
|
if tls != nil {
|
||||||
h := sha256.Sum256(cert.RawTBSCertificate)
|
for _, cert := range tls.PeerCertificates {
|
||||||
if showCerts {
|
h := sha256.Sum256(cert.RawTBSCertificate)
|
||||||
dlog.Noticef("Advertised relay cert: [%s] [%x]", cert.Subject, h)
|
if showCerts {
|
||||||
} else {
|
dlog.Noticef("Advertised relay cert: [%s] [%x]", cert.Subject, h)
|
||||||
dlog.Debugf("Advertised relay cert: [%s] [%x]", cert.Subject, h)
|
} else {
|
||||||
}
|
dlog.Debugf("Advertised relay cert: [%s] [%x]", cert.Subject, h)
|
||||||
for _, hash := range stamp.Hashes {
|
}
|
||||||
if len(hash) == len(wantedHash) {
|
for _, hash := range stamp.Hashes {
|
||||||
copy(wantedHash[:], hash)
|
if len(hash) == len(wantedHash) {
|
||||||
if h == wantedHash {
|
copy(wantedHash[:], hash)
|
||||||
found = true
|
if h == wantedHash {
|
||||||
break
|
found = true
|
||||||
|
break
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
if found {
|
||||||
|
break
|
||||||
|
}
|
||||||
}
|
}
|
||||||
if found {
|
if !found && len(stamp.Hashes) > 0 {
|
||||||
break
|
dlog.Criticalf("[%s] Certificate hash [%x] not found", name, wantedHash)
|
||||||
|
return ServerInfo{}, fmt.Errorf("Certificate hash not found")
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if !found && len(stamp.Hashes) > 0 {
|
|
||||||
dlog.Criticalf("[%s] Certificate hash [%x] not found", name, wantedHash)
|
|
||||||
return ServerInfo{}, fmt.Errorf("Certificate hash not found")
|
|
||||||
}
|
|
||||||
if len(serverResponse) < MinDNSPacketSize || len(serverResponse) > MaxDNSPacketSize ||
|
if len(serverResponse) < MinDNSPacketSize || len(serverResponse) > MaxDNSPacketSize ||
|
||||||
serverResponse[0] != 0xca || serverResponse[1] != 0xfe || serverResponse[4] != 0x00 || serverResponse[5] != 0x01 {
|
serverResponse[0] != 0xca || serverResponse[1] != 0xfe || serverResponse[4] != 0x00 || serverResponse[5] != 0x01 {
|
||||||
dlog.Info("Webserver returned an unexpected response")
|
dlog.Info("Webserver returned an unexpected response")
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue