From 3b75a4c6ac1013d1b11dad376e02fd7b1d5fd0a2 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Sun, 26 Jan 2025 23:18:03 +0100 Subject: [PATCH] Fix undefined vs empty confusion for tls_cipher_suite The documentation refers to tls_cipher_suite being empty in order to use the default parameters, not undefined. However, configuring an empty set of cipher suites did just that: no cipher suites could be used, which is not very useful. Fix the documentation: in order to use the default suites, the parameter must be undefined, not empty. And in code, make an empty set equivalent to the parameter being undefined. --- dnscrypt-proxy/example-dnscrypt-proxy.toml | 4 ++-- dnscrypt-proxy/xtransport.go | 5 +++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/dnscrypt-proxy/example-dnscrypt-proxy.toml b/dnscrypt-proxy/example-dnscrypt-proxy.toml index 6ecd9152..a2412672 100644 --- a/dnscrypt-proxy/example-dnscrypt-proxy.toml +++ b/dnscrypt-proxy/example-dnscrypt-proxy.toml @@ -223,9 +223,9 @@ cert_refresh_delay = 240 ## On non-Intel CPUs such as MIPS routers and ARM systems (Android, Raspberry Pi...), ## the following suite improves performance. ## This may also help on Intel CPUs running 32-bit operating systems. +## However, this can cause issues fetching sources or connecting to some HTTP servers. ## -## Keep tls_cipher_suite empty if you have issues fetching sources or -## connecting to some DoH servers. +## Keep tls_cipher_suite undefined to let the app automatically choose secure parameters # tls_cipher_suite = [52392, 49199] diff --git a/dnscrypt-proxy/xtransport.go b/dnscrypt-proxy/xtransport.go index 249a514e..39186f8f 100644 --- a/dnscrypt-proxy/xtransport.go +++ b/dnscrypt-proxy/xtransport.go @@ -217,12 +217,13 @@ func (xTransport *XTransport) rebuildTransport() { tlsClientConfig.Certificates = []tls.Certificate{cert} } - if xTransport.tlsDisableSessionTickets || xTransport.tlsCipherSuite != nil { + overrideCipherSuite := xTransport.tlsCipherSuite != nil && len(xTransport.tlsCipherSuite) > 0 + if xTransport.tlsDisableSessionTickets || overrideCipherSuite { tlsClientConfig.SessionTicketsDisabled = xTransport.tlsDisableSessionTickets if !xTransport.tlsDisableSessionTickets { tlsClientConfig.ClientSessionCache = tls.NewLRUClientSessionCache(10) } - if xTransport.tlsCipherSuite != nil { + if overrideCipherSuite { tlsClientConfig.PreferServerCipherSuites = false tlsClientConfig.CipherSuites = xTransport.tlsCipherSuite