From d2aa521369f08ad2fb7ca5d1f4c8deb4966f920e Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Fri, 7 Jun 2019 01:23:48 +0200
Subject: [PATCH] Add a command-line option to print the server certificate
 hashes

---
 dnscrypt-proxy/config.go      | 10 ++++++++++
 dnscrypt-proxy/proxy.go       |  4 ++++
 dnscrypt-proxy/serversInfo.go |  5 ++---
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/dnscrypt-proxy/config.go b/dnscrypt-proxy/config.go
index 0ec4192b..4351e0a0 100644
--- a/dnscrypt-proxy/config.go
+++ b/dnscrypt-proxy/config.go
@@ -202,6 +202,7 @@ func ConfigLoad(proxy *Proxy, svcFlag *string) error {
 	configFile := flag.String("config", DefaultConfigFileName, "Path to the configuration file")
 	child := flag.Bool("child", false, "Invokes program as a child process")
 	netprobeTimeoutOverride := flag.Int("netprobe-timeout", 60, "Override the netprobe timeout")
+	showCerts := flag.Bool("show-certs", false, "print DoH certificate chain hashes")
 
 	flag.Parse()
 
@@ -431,7 +432,16 @@ func ConfigLoad(proxy *Proxy, svcFlag *string) error {
 	} else if len(config.FallbackResolver) > 0 {
 		netprobeAddress = config.FallbackResolver
 	}
+	proxy.showCerts = *showCerts || len(os.Getenv("SHOW_CERTS")) > 0
+	if len(os.Getenv("SHOW_CERTS")) > 0 {
+		proxy.showCerts = true
+	}
+
+	if proxy.showCerts {
+		proxy.listenAddresses = nil
+	}
 	NetProbe(netprobeAddress, netprobeTimeout)
+
 	if !config.OfflineMode {
 		if err := config.loadSources(proxy); err != nil {
 			return err
diff --git a/dnscrypt-proxy/proxy.go b/dnscrypt-proxy/proxy.go
index 5d7c809f..97f1700b 100644
--- a/dnscrypt-proxy/proxy.go
+++ b/dnscrypt-proxy/proxy.go
@@ -64,6 +64,7 @@ type Proxy struct {
 	logMaxAge                    int
 	logMaxBackups                int
 	refusedCodeInResponses       bool
+	showCerts                    bool
 }
 
 func (proxy *Proxy) StartProxy() {
@@ -152,6 +153,9 @@ func (proxy *Proxy) StartProxy() {
 		dlog.Fatal(err)
 	}
 	liveServers, err := proxy.serversInfo.refresh(proxy)
+	if proxy.showCerts {
+		os.Exit(0)
+	}
 	if liveServers > 0 {
 		dlog.Noticef("dnscrypt-proxy is ready - live servers: %d", liveServers)
 		if !proxy.child {
diff --git a/dnscrypt-proxy/serversInfo.go b/dnscrypt-proxy/serversInfo.go
index c56e6dce..3e4d914e 100644
--- a/dnscrypt-proxy/serversInfo.go
+++ b/dnscrypt-proxy/serversInfo.go
@@ -10,7 +10,6 @@ import (
 	"math/rand"
 	"net"
 	"net/url"
-	"os"
 	"strings"
 	"sync"
 	"time"
@@ -311,13 +310,13 @@ func (serversInfo *ServersInfo) fetchDoHServerInfo(proxy *Proxy, name string, st
 		dlog.Warnf("[%s] does not support HTTP/2", name)
 	}
 	dlog.Infof("[%s] TLS version: %x - Protocol: %v - Cipher suite: %v", name, tls.Version, protocol, tls.CipherSuite)
-	showCerts := len(os.Getenv("SHOW_CERTS")) > 0
+	showCerts := proxy.showCerts
 	found := false
 	var wantedHash [32]byte
 	for _, cert := range tls.PeerCertificates {
 		h := sha256.Sum256(cert.RawTBSCertificate)
 		if showCerts {
-			dlog.Infof("Advertised cert: [%s] [%x]", cert.Subject, h)
+			dlog.Noticef("Advertised cert: [%s] [%x]", cert.Subject, h)
 		} else {
 			dlog.Debugf("Advertised cert: [%s] [%x]", cert.Subject, h)
 		}