Open HX-Technology-LLC opened 3 months ago
Could you please elaborate on what are you trying to achieve ? Using secured SSL/TLS endpoints with the proper domain and checking that everything makes sense is actually the point to ensure nobody is "on the wire ..."
Could you please elaborate on what are you trying to achieve ? Using secured SSL/TLS endpoints with the proper domain and checking that everything makes sense is actually the point to ensure nobody is "on the wire ..."
I deployed adguardhome in my Windows 7 VM, I set up the upstream servers for tls:/8.8.4.4 and tls:/1.1.1.1, and found that there were a lot of certificate validation errors, and that using the ie browser (because it uses the schannel component that comes with the system) to access https://1.1.1.1 The prompts for certificate errors are consistent with those of adguardhome, and I'm wondering if I can skip the certificate errors and query them directly
Translated with DeepL.com (free version)
Could you please elaborate on what are you trying to achieve ? Using secured SSL/TLS endpoints with the proper domain and checking that everything makes sense is actually the point to ensure nobody is "on the wire ..."
I deployed adguardhome in my Windows 7 VM, I set up the upstream servers for tls:/8.8.4.4 and tls:/1.1.1.1, and found that there were a lot of certificate validation errors, and that using the ie browser (because it uses the schannel component that comes with the system) to access https://1.1.1.1 The prompts for certificate errors are consistent with those of adguardhome, and I'm wondering if I can skip the certificate errors and query them directly
Translated with DeepL.com (free version)
Why don't you just set up the upstream servers as:
tls://dns.google
https://dns.google/dns-query
tls://1dot1dot1dot1.cloudflare-dns.com
https://dns.cloudflare.com/dns-query
So the certificates are actually validated ?
Sometimes even when using https://dns.cloudflare.com/dns-query
or https://one.one.one.one/dns-query
also give certificate error under cloudflare wrap VPN or other VPN. Which is kinda funny considered it's a cloudflare product.
Could you please elaborate on what are you trying to achieve ? Using secured SSL/TLS endpoints with the proper domain and checking that everything makes sense is actually the point to ensure nobody is "on the wire ..."
I deployed adguardhome in my Windows 7 VM, I set up the upstream servers for tls:/8.8.4.4 and tls:/1.1.1.1, and found that there were a lot of certificate validation errors, and that using the ie browser (because it uses the schannel component that comes with the system) to access https://1.1.1.1 The prompts for certificate errors are consistent with those of adguardhome, and I'm wondering if I can skip the certificate errors and query them directly Translated with DeepL.com (free version)
Why don't you just set up the upstream servers as:
tls://dns.google https://dns.google/dns-query tls://1dot1dot1dot1.cloudflare-dns.com https://dns.cloudflare.com/dns-query
So the certificates are actually validated ?
The certificate is verified and if it's set to a domain name it's fine, but I'd like to reduce the time it takes to query the encrypted dns domain for the first time and also reduce the information leakage because of the sni
Sometimes even when using
https://dns.cloudflare.com/dns-query
orhttps://one.one.one.one/dns-query
also give certificate error under cloudflare wrap VPN or other VPN. Which is kinda funny considered it's a cloudflare product.
Maybe there are some issues with processing the certificates?
Sometimes even when using
https://dns.cloudflare.com/dns-query
orhttps://one.one.one.one/dns-query
also give certificate error under cloudflare wrap VPN or other VPN. Which is kinda funny considered it's a cloudflare product.Maybe there are some issues with processing the certificates?
I have no idea. It just often/always give bad certificate when using cloudflare wrap.
Prerequisites
[X] I have checked the Wiki and Discussions and found no answer
[X] I have searched other issues and found no duplicates
[X] I want to request a feature or enhancement and not ask a question
The problem
When running adguardhome on Windows 7/8.1 and configuring the upstream dns as DOH and DOT of IP type, the certificate validity cannot be verified properly.
Proposed solution
Ignore SSL certificate checking or use non-systematic SSL certificate validity checking like Firefox
Alternatives considered and additional information
No response