Add an undocumented option to ignore cert timestamps

jedisct1 · jedisct1 · commit 8bcba92f97c5 · 2018-01-21T18:10:38.000+01:00
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@
 
 A flexible DNS proxy, with support for encrypted DNS protocols such as [DNSCrypt](https://github.com/DNSCrypt/dnscrypt-protocol/blob/master/DNSCRYPT-V2-PROTOCOL.txt).
 
-## [dnscrypt-proxy 2.0.0beta6 is available for download!](https://github.com/jedisct1/dnscrypt-proxy/releases/latest)
+## [dnscrypt-proxy 2.0.0beta7 is available for download!](https://github.com/jedisct1/dnscrypt-proxy/releases/latest)
 
 ## Installation
 
diff --git a/dnscrypt-proxy/certs.go b/dnscrypt-proxy/certs.go
@@ -87,9 +87,11 @@ func FetchCurrentCert(proxy *Proxy, serverName *string, proto string, pk ed25519
 		} else {
 			certInfo.ForwardSecurity = true
 		}
-		if now > tsEnd || now < tsBegin {
-			dlog.Debugf("[%v] Certificate not valid at the current date", providerName)
-			continue
+		if !proxy.certIgnoreTimestamp {
+			if now > tsEnd || now < tsBegin {
+				dlog.Debugf("[%v] Certificate not valid at the current date", providerName)
+				continue
+			}
 		}
 		if serial < highestSerial {
 			dlog.Debugf("[%v] Superseded by a previous certificate", providerName)
diff --git a/dnscrypt-proxy/config.go b/dnscrypt-proxy/config.go
@@ -22,6 +22,7 @@ type Config struct {
 	ForceTCP            bool `toml:"force_tcp"`
 	Timeout             int  `toml:"timeout_ms"`
 	CertRefreshDelay    int  `toml:"cert_refresh_delay"`
+	CertIgnoreTimestamp bool `toml:"cert_ignore_timestamp"`
 	BlockIPv6           bool `toml:"block_ipv6"`
 	Cache               bool
 	CacheSize           int                     `toml:"cache_size"`
@@ -43,18 +44,19 @@ type Config struct {
 
 func newConfig() Config {
 	return Config{
-		LogLevel:           int(dlog.LogLevel()),
-		ListenAddresses:    []string{"127.0.0.1:53"},
-		Timeout:            2500,
-		CertRefreshDelay:   30,
-		Cache:              true,
-		CacheSize:          256,
-		CacheNegTTL:        60,
-		CacheMinTTL:        60,
-		CacheMaxTTL:        8600,
-		SourceRequireNoLog: true,
-		SourceIPv4:         true,
-		SourceIPv6:         false,
+		LogLevel:            int(dlog.LogLevel()),
+		ListenAddresses:     []string{"127.0.0.1:53"},
+		Timeout:             2500,
+		CertRefreshDelay:    30,
+		CertIgnoreTimestamp: false,
+		Cache:               true,
+		CacheSize:           256,
+		CacheNegTTL:         60,
+		CacheMinTTL:         60,
+		CacheMaxTTL:         8600,
+		SourceRequireNoLog:  true,
+		SourceIPv4:          true,
+		SourceIPv6:          false,
 	}
 }
 
@@ -139,6 +141,7 @@ func ConfigLoad(proxy *Proxy, svcFlag *string, config_file string) error {
 	}
 	proxy.certRefreshDelay = time.Duration(config.CertRefreshDelay) * time.Minute
 	proxy.certRefreshDelayAfterFailure = time.Duration(10 * time.Second)
+	proxy.certIgnoreTimestamp = config.CertIgnoreTimestamp
 	if len(config.ListenAddresses) == 0 {
 		return errors.New("No local IP/port configured")
 	}
diff --git a/dnscrypt-proxy/main.go b/dnscrypt-proxy/main.go
@@ -16,7 +16,7 @@ import (
 	"golang.org/x/crypto/curve25519"
 )
 
-const AppVersion = "2.0.0beta6"
+const AppVersion = "2.0.0beta7"
 
 type Proxy struct {
 	proxyPublicKey               [32]byte
@@ -26,6 +26,7 @@ type Proxy struct {
 	timeout                      time.Duration
 	certRefreshDelay             time.Duration
 	certRefreshDelayAfterFailure time.Duration
+	certIgnoreTimestamp          bool
 	mainProto                    string
 	listenAddresses              []string
 	daemonize                    bool
