Add a command-line option to print the server certificate hashes

2019-06-07 01:23:48 +02:00 · 2019-06-07 01:23:48 +02:00 · d2aa521369
parent 9604b8b3e5
commit d2aa521369
3 changed files with 16 additions and 3 deletions
--- a/dnscrypt-proxy/config.go
+++ b/dnscrypt-proxy/config.go
@ -202,6 +202,7 @@ func ConfigLoad(proxy *Proxy, svcFlag *string) error {
 	configFile := flag.String("config", DefaultConfigFileName, "Path to the configuration file")
 	child := flag.Bool("child", false, "Invokes program as a child process")
 	netprobeTimeoutOverride := flag.Int("netprobe-timeout", 60, "Override the netprobe timeout")
+	showCerts := flag.Bool("show-certs", false, "print DoH certificate chain hashes")

 	flag.Parse()

@ -431,7 +432,16 @@ func ConfigLoad(proxy *Proxy, svcFlag *string) error {
 	} else if len(config.FallbackResolver) > 0 {
 		netprobeAddress = config.FallbackResolver
 	}
+	proxy.showCerts = *showCerts || len(os.Getenv("SHOW_CERTS")) > 0
+	if len(os.Getenv("SHOW_CERTS")) > 0 {
+		proxy.showCerts = true
+	}
+
+	if proxy.showCerts {
+		proxy.listenAddresses = nil
+	}
 	NetProbe(netprobeAddress, netprobeTimeout)
+
 	if !config.OfflineMode {
 		if err := config.loadSources(proxy); err != nil {
 			return err
--- a/dnscrypt-proxy/proxy.go
+++ b/dnscrypt-proxy/proxy.go
@ -64,6 +64,7 @@ type Proxy struct {
 	logMaxAge                    int
 	logMaxBackups                int
 	refusedCodeInResponses       bool
+	showCerts                    bool
 }

 func (proxy *Proxy) StartProxy() {
@ -152,6 +153,9 @@ func (proxy *Proxy) StartProxy() {
 		dlog.Fatal(err)
 	}
 	liveServers, err := proxy.serversInfo.refresh(proxy)
+	if proxy.showCerts {
+		os.Exit(0)
+	}
 	if liveServers > 0 {
 		dlog.Noticef("dnscrypt-proxy is ready - live servers: %d", liveServers)
 		if !proxy.child {
--- a/dnscrypt-proxy/serversInfo.go
+++ b/dnscrypt-proxy/serversInfo.go
@ -10,7 +10,6 @@ import (
 	"math/rand"
 	"net"
 	"net/url"
-	"os"
 	"strings"
 	"sync"
 	"time"
@ -311,13 +310,13 @@ func (serversInfo *ServersInfo) fetchDoHServerInfo(proxy *Proxy, name string, st
 		dlog.Warnf("[%s] does not support HTTP/2", name)
 	}
 	dlog.Infof("[%s] TLS version: %x - Protocol: %v - Cipher suite: %v", name, tls.Version, protocol, tls.CipherSuite)
-	showCerts := len(os.Getenv("SHOW_CERTS")) > 0
+	showCerts := proxy.showCerts
 	found := false
 	var wantedHash [32]byte
 	for _, cert := range tls.PeerCertificates {
 		h := sha256.Sum256(cert.RawTBSCertificate)
 		if showCerts {
-			dlog.Infof("Advertised cert: [%s] [%x]", cert.Subject, h)
+			dlog.Noticef("Advertised cert: [%s] [%x]", cert.Subject, h)
 		} else {
 			dlog.Debugf("Advertised cert: [%s] [%x]", cert.Subject, h)
 		}