From ddcc40c954e48bbdcdc59cf6d2b275aa9214814d Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Thu, 3 Jun 2021 12:48:33 +0200 Subject: [PATCH] Hardcode Let's Encrypt ISRG X1 cert Some operating systems don't include it yet. Thanks to @rs for the heads up --- dnscrypt-proxy/xtransport.go | 36 +++++++++++++++++++++++------------- 1 file changed, 23 insertions(+), 13 deletions(-) diff --git a/dnscrypt-proxy/xtransport.go b/dnscrypt-proxy/xtransport.go index 85c663c7..04cfe7ec 100644 --- a/dnscrypt-proxy/xtransport.go +++ b/dnscrypt-proxy/xtransport.go @@ -158,27 +158,37 @@ func (xTransport *XTransport) rebuildTransport() { if xTransport.httpProxyFunction != nil { transport.Proxy = xTransport.httpProxyFunction } + tlsClientConfig := tls.Config{} + certPool, err := x509.SystemCertPool() + if err != nil { + dlog.Fatal(err) + } clientCreds := xTransport.tlsClientCreds - if (clientCreds != DOHClientCreds{}) { + if clientCreds.rootCA != "" { + additionalCaCert, err := ioutil.ReadFile(clientCreds.rootCA) + if err != nil { + dlog.Fatal(err) + } + certPool.AppendCertsFromPEM(additionalCaCert) + } + + // Some operating systems don't include Let's Encrypt ISRG Root X1 certificate yet + var letsEncryptX1Cert = []byte(`-----BEGIN CERTIFICATE----- + MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAwTzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2VhcmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMTUwNjA0MTEwNDM4WhcNMzUwNjA0MTEwNDM4WjBPMQswCQYDVQQGEwJVUzEpMCcGA1UEChMgSW50ZXJuZXQgU2VjdXJpdHkgUmVzZWFyY2ggR3JvdXAxFTATBgNVBAMTDElTUkcgUm9vdCBYMTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAK3oJHP0FDfzm54rVygch77ct984kIxuPOZXoHj3dcKi/vVqbvYATyjb3miGbESTtrFj/RQSa78f0uoxmyF+0TM8ukj13Xnfs7j/EvEhmkvBioZxaUpmZmyPfjxwv60pIgbz5MDmgK7iS4+3mX6UA5/TR5d8mUgjU+g4rk8Kb4Mu0UlXjIB0ttov0DiNewNwIRt18jA8+o+u3dpjq+sWT8KOEUt+zwvo/7V3LvSye0rgTBIlDHCNAymg4VMk7BPZ7hm/ELNKjD+Jo2FR3qyHB5T0Y3HsLuJvW5iB4YlcNHlsdu87kGJ55tukmi8mxdAQ4Q7e2RCOFvu396j3x+UCB5iPNgiV5+I3lg02dZ77DnKxHZu8A/lJBdiB3QW0KtZB6awBdpUKD9jf1b0SHzUvKBds0pjBqAlkd25HN7rOrFleaJ1/ctaJxQZBKT5ZPt0m9STJEadao0xAH0ahmbWnOlFuhjuefXKnEgV4We0+UXgVCwOPjdAvBbI+e0ocS3MFEvzG6uBQE3xDk3SzynTnjh8BCNAw1FtxNrQHusEwMFxIt4I7mKZ9YIqioymCzLq9gwQbooMDQaHWBfEbwrbwqHyGO0aoSCqI3Haadr8faqU9GY/rOPNk3sgrDQoo//fb4hVC1CLQJ13hef4Y53CIrU7m2Ys6xt0nUW7/vGT1M0NPAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBR5tFnme7bl5AFzgAiIyBpY9umbbjANBgkqhkiG9w0BAQsFAAOCAgEAVR9YqbyyqFDQDLHYGmkgJykIrGF1XIpu+ILlaS/V9lZLubhzEFnTIZd+50xx+7LSYK05qAvqFyFWhfFQDlnrzuBZ6brJFe+GnY+EgPbk6ZGQ3BebYhtF8GaV0nxvwuo77x/Py9auJ/GpsMiu/X1+mvoiBOv/2X/qkSsisRcOj/KKNFtY2PwByVS5uCbMiogziUwthDyC3+6WVwW6LLv3xLfHTjuCvjHIInNzktHCgKQ5ORAzI4JMPJ+GslWYHb4phowim57iaztXOoJwTdwJx4nLCgdNbOhdjsnvzqvHu7UrTkXWStAmzOVyyghqpZXjFaH3pO3JLF+l+/+sKAIuvtd7u+Nxe5AW0wdeRlN8NwdCjNPElpzVmbUq4JUagEiuTDkHzsxHpFKVK7q4+63SM1N95R1NbdWhscdCb+ZAJzVcoyi3B43njTOQ5yOf+1CceWxG1bQVs5ZufpsMljq4Ui0/1lvh+wjChP4kqKOJ2qxq4RgqsahDYVvTH9w7jXbyLeiNdd8XM2w9U/t7y0Ff/9yi0GE44Za4rF2LN9d11TPAmRGunUHBcnWEvgJBQl9nJEiU0Zsnvgc/ubhPgXRR4Xq37Z0j4r7g1SgEEzwxA57demyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc= + -----END CERTIFICATE-----`) + certPool.AppendCertsFromPEM(letsEncryptX1Cert) + + tlsClientConfig.RootCAs = certPool + + if clientCreds.clientCert != "" { cert, err := tls.LoadX509KeyPair(clientCreds.clientCert, clientCreds.clientKey) if err != nil { dlog.Fatalf("Unable to use certificate [%v] (key: [%v]): %v", clientCreds.clientCert, clientCreds.clientKey, err) } - if clientCreds.rootCA != "" { - caCert, err := ioutil.ReadFile(clientCreds.rootCA) - if err != nil { - dlog.Fatal(err) - } - systemCertPool, err := x509.SystemCertPool() - if err != nil { - dlog.Fatal(err) - } - systemCertPool.AppendCertsFromPEM(caCert) - tlsClientConfig.RootCAs = systemCertPool - } tlsClientConfig.Certificates = []tls.Certificate{cert} } + if xTransport.tlsDisableSessionTickets || xTransport.tlsCipherSuite != nil { tlsClientConfig.SessionTicketsDisabled = xTransport.tlsDisableSessionTickets if !xTransport.tlsDisableSessionTickets {