Capture the contents of the User-Agent Header where possible (#25 )

http-01: remove MaxVersion restriction (#23 )
fix DoH response writer (#22 )
2025-04-09 15:51:28 -04:00 · 2023-12-06 10:10:50 -08:00 · 2023-12-05 09:19:12 -08:00
3 changed files with 26 additions and 10 deletions
--- a/dns.go
+++ b/dns.go
@ -161,6 +161,21 @@ type writeMsg interface {
 	WriteMsg(*dns.Msg) error
 }

+type dnsToHTTPWriter struct {
+	http.ResponseWriter
+}
+
+func (d *dnsToHTTPWriter) WriteMsg(m *dns.Msg) error {
+	d.Header().Set("Content-Type", "application/dns-message")
+	d.WriteHeader(http.StatusOK)
+	b, err := m.Pack()
+	if err != nil {
+		return err
+	}
+	_, err = d.Write(b)
+	return err
+}
+
 // dohHandler handles a DoH request by POST only.
 func (s *ChallSrv) dohHandler(w http.ResponseWriter, r *http.Request) {
 	if r.Method != http.MethodPost {
@ -180,8 +195,7 @@ func (s *ChallSrv) dohHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	var dnsResponseWriter dns.ResponseWriter
-	s.dnsHandler(dnsResponseWriter, msg)
+	s.dnsHandlerInner(&dnsToHTTPWriter{w}, msg, r.Header.Get("User-Agent"))
 }

 // dnsHandler is a miekg/dns handler that can process a dns.Msg request and
@ -190,10 +204,10 @@ func (s *ChallSrv) dohHandler(w http.ResponseWriter, r *http.Request) {
 // DNS data. A host that is aliased by a CNAME record will follow that alias
 // one level and return the requested record types for that alias' target
 func (s *ChallSrv) dnsHandler(w dns.ResponseWriter, r *dns.Msg) {
-	s.dnsHandlerInner(w, r)
+	s.dnsHandlerInner(w, r, "")
 }

-func (s *ChallSrv) dnsHandlerInner(w writeMsg, r *dns.Msg) {
+func (s *ChallSrv) dnsHandlerInner(w writeMsg, r *dns.Msg, userAgent string) {
 	m := new(dns.Msg)
 	m.SetReply(r)
 	m.Compress = false
@ -201,7 +215,8 @@ func (s *ChallSrv) dnsHandlerInner(w writeMsg, r *dns.Msg) {
 	// For each question, add answers based on the type of question
 	for _, q := range r.Question {
 		s.AddRequestEvent(DNSRequestEvent{
-			Question: q,
+			Question:  q,
+			UserAgent: userAgent,
 		})

 		// If there is a ServFail mock set then ignore the question and set the
--- a/event.go
+++ b/event.go
@ -38,6 +38,8 @@ type HTTPRequestEvent struct {
 	// The ServerName from the ClientHello. May be empty if there was no SNI or if
 	// the request was not HTTPS
 	ServerName string
+	// The User-Agent header from the request
+	UserAgent string
 }

 // HTTPRequestEvents always have type HTTPRequestEventType
@ -59,6 +61,9 @@ func (e HTTPRequestEvent) Key() string {
 type DNSRequestEvent struct {
 	// The DNS question received.
 	Question dns.Question
+	// The User-Agent header from the request, may be empty
+	// if the request was not over DoH.
+	UserAgent string
 }

 // DNSRequestEvents always have type DNSRequestEventType
--- a/httpone.go
+++ b/httpone.go
@ -128,6 +128,7 @@ func (s *ChallSrv) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		Host:       r.Host,
 		HTTPS:      r.TLS != nil,
 		ServerName: serverName,
+		UserAgent:  r.Header.Get("User-Agent"),
 	})

 	// If the request was not over HTTPS and we have a redirect, serve it.
@ -188,11 +189,6 @@ func httpOneServer(address string, handler http.Handler, https bool) challengeSe
 	if https {
 		tlsConfig = &tls.Config{
 			Certificates: []tls.Certificate{cert},
-			// Only accept TLS 1.0 and TLS 1.1. This is a temporary restriction, to
-			// make it possible to test Boulder features that log when validation hits
-			// an HTTPS URL that doesn't support TLS >1.2. Once Let's Encrypt turns
-			// off TLS 1.0 and TLS 1.1 support in validations, remove this line.
-			MaxVersion: tls.VersionTLS11,
 		}
 	}
 	// Create an HTTP Server for HTTP-01 challenges
Author	SHA1	Message	Date
Samantha Frank	bcea93640e	Capture the contents of the User-Agent Header where possible (#25 )	2025-04-09 15:51:28 -04:00
Jacob Hoffman-Andrews	986f82c46b	http-01: remove MaxVersion restriction (#23 )	2023-12-06 10:10:50 -08:00
Jacob Hoffman-Andrews	6944a3943f	fix DoH response writer (#22 )	2023-12-05 09:19:12 -08:00