Handle cert expiration or rotation
This commit is contained in:
parent
b30b6b1d66
commit
45626b139d
|
@ -203,7 +203,8 @@ func (p *dnsCrypt) Exchange(m *dns.Msg) (*dns.Msg, error) {
|
||||||
serverInfo = p.serverInfo
|
serverInfo = p.serverInfo
|
||||||
p.RUnlock()
|
p.RUnlock()
|
||||||
|
|
||||||
if client == nil || serverInfo == nil {
|
now := uint32(time.Now().Unix())
|
||||||
|
if client == nil || serverInfo == nil || (serverInfo != nil && serverInfo.ServerCert.NotAfter < now) {
|
||||||
p.Lock()
|
p.Lock()
|
||||||
|
|
||||||
// Using "udp" for DNSCrypt upstreams by default
|
// Using "udp" for DNSCrypt upstreams by default
|
||||||
|
@ -222,6 +223,17 @@ func (p *dnsCrypt) Exchange(m *dns.Msg) (*dns.Msg, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
reply, _, err := client.Exchange(m, serverInfo)
|
reply, _, err := client.Exchange(m, serverInfo)
|
||||||
|
|
||||||
|
if err, ok := err.(net.Error); ok && err.Timeout() {
|
||||||
|
// If request times out, it is possible that the server configuration has been changed.
|
||||||
|
// It is safe to assume that the key was rotated (for instance, as it is described here: https://dnscrypt.pl/2017/02/26/how-key-rotation-is-automated/).
|
||||||
|
// We should re-fetch the server certificate info so that the new requests were not failing.
|
||||||
|
p.Lock()
|
||||||
|
p.client = nil
|
||||||
|
p.serverInfo = nil
|
||||||
|
p.Unlock()
|
||||||
|
}
|
||||||
|
|
||||||
return reply, err
|
return reply, err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue