mirror of
https://github.com/Control-D-Inc/ctrld.git
synced 2026-02-03 22:18:39 +00:00
a20fbf95de
Added more descriptive error messages for TLS certificate verification failures across DoH, DoT, DoQ, and DoH3 protocols. The error messages now include: - Certificate subject information - Issuer organization details - Common name of the certificate This helps users and developers better understand certificate validation failures by providing specific details about the untrusted certificate, rather than just a generic "unknown authority" message. Example error message change: Before: "certificate signed by unknown authority" After: "certificate signed by unknown authority: TestCA, TestOrg, TestIssuerOrg"
43 lines
1.2 KiB
Go
43 lines
1.2 KiB
Go
package ctrld
|
|
|
|
import (
|
|
"context"
|
|
"crypto/tls"
|
|
"net"
|
|
|
|
"github.com/miekg/dns"
|
|
)
|
|
|
|
type dotResolver struct {
|
|
uc *UpstreamConfig
|
|
}
|
|
|
|
func (r *dotResolver) Resolve(ctx context.Context, msg *dns.Msg) (*dns.Msg, error) {
|
|
// The dialer is used to prevent bootstrapping cycle.
|
|
// If r.endpoint is set to dns.controld.dev, we need to resolve
|
|
// dns.controld.dev first. By using a dialer with custom resolver,
|
|
// we ensure that we can always resolve the bootstrap domain
|
|
// regardless of the machine DNS status.
|
|
dialer := newDialer(net.JoinHostPort(controldPublicDns, "53"))
|
|
dnsTyp := uint16(0)
|
|
if msg != nil && len(msg.Question) > 0 {
|
|
dnsTyp = msg.Question[0].Qtype
|
|
}
|
|
tcpNet, _ := r.uc.netForDNSType(dnsTyp)
|
|
dnsClient := &dns.Client{
|
|
Net: tcpNet,
|
|
Dialer: dialer,
|
|
TLSConfig: &tls.Config{RootCAs: r.uc.certPool},
|
|
}
|
|
endpoint := r.uc.Endpoint
|
|
if r.uc.BootstrapIP != "" {
|
|
dnsClient.TLSConfig.ServerName = r.uc.Domain
|
|
dnsClient.Net = "tcp-tls"
|
|
_, port, _ := net.SplitHostPort(endpoint)
|
|
endpoint = net.JoinHostPort(r.uc.BootstrapIP, port)
|
|
}
|
|
|
|
answer, _, err := dnsClient.ExchangeContext(ctx, msg, endpoint)
|
|
return answer, wrapCertificateVerificationError(err)
|
|
}
|