Comments (6)
Cloudflare certificates change all the time, so this is unfortunately impossible to maintain.
And yes, it means that it is completely insecure against adversaries having power of certificate authorities, and products adding their own CAs.
from dnscrypt-resolvers.
One year ago (early Jan) I imported new cloudflare's cert into my mikrotik router and set up DOH on it with enabled "Verify DoH Certificate". It works no problems since that time. Just to make sure, I compared the cert on my router and on cloudflare - they are the same.
Do you consider yearly certs as too much volatile or do I miss something?
from dnscrypt-resolvers.
It was far more frequent. Hashes were removed in 2020. Maybe things have stabilized since? That would be surprising, though. I have websites fronted by Cloudflare and the certificate chain keeps changing at least twice a month.
What stamp are you using?
from dnscrypt-resolvers.
Current hash is:
[CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US] [9cbba0fc962f7a2b31c62b1b175a2de4c50a8395727e30b626a80009a780e3d8]
from dnscrypt-resolvers.
My config
server_names = ['cloudflare-static']
..
[static]
[static.'cloudflare-static']
stamp = 'sdns://AgcAAAAAAAAABzEuMC4wLjEAEmRucy5jbG91ZGZsYXJlLmNvbQovZG5zLXF1ZXJ5'
Sample run:
> dnscrypt-proxy -show-certs
[2023-12-29 23:29:23] [NOTICE] dnscrypt-proxy 2.0.45
[2023-12-29 23:29:23] [NOTICE] Firefox workaround initialized
[2023-12-29 23:29:24] [NOTICE] Advertised cert: [CN=cloudflare.com,O=Cloudflare\, Inc.,L=San Francisco,ST=California,C=US] [8daa18baf94b4af89d1079557b901674e94e66974a8504a32bfaf1eb3fa5700d]
[2023-12-29 23:29:24] [NOTICE] Advertised cert: [CN=Cloudflare Inc ECC CA-3,O=Cloudflare\, Inc.,C=US] [9cbba0fc962f7a2b31c62b1b175a2de4c50a8395727e30b626a80009a780e3d8]
[2023-12-29 23:29:24] [NOTICE] [cloudflare-static] OK (DoH) - rtt: 45ms
[2023-12-29 23:29:24] [NOTICE] Server with the lowest initial latency: cloudflare-static (rtt: 45ms)
from dnscrypt-resolvers.
Cloudflare are also still using Digicert (at least for the "family" and "security" resolvers) and we need another CA for people choosing the RSA cipher suites.
d46ec48 re-adds these certs. Hopefully these are the same everywhere in the world. Let's see how long it takes before something breaks.
from dnscrypt-resolvers.
Related Issues (20)
- BebasDNS removal request HOT 1
- odohrelay-crypto-sx failing on dnscrypt-proxy initialization HOT 6
- ams-dnscrypt-nl doesn't resolve .ru domains HOT 2
- OpenWrt https-dns-proxy HOT 6
- [Request] DoH3 / http3 Support HOT 2
- ams-dnscrypt-nl: Returning bad results for github.com HOT 5
- Consider removing tuna-doh-ipv4
- Some dnscry.pt servers are missing in the public-resolvers.md HOT 4
- Anon relays not working HOT 1
- Not all servers labelled as supporting DNSSEC actually do HOT 11
- Yandex stops supporting DNSCrypt HOT 3
- dnscrypt.ca Removal HOT 4
- Key Rotation Procedure For dnsdist HOT 2
- dnscrypt.ca Returns HOT 1
- error with running anonymized dns HOT 1
- Meganerd discontinued HOT 1
- LibreDNS certificate has been changed HOT 1
- stamp HOT 2
- Add dns4all
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dnscrypt-resolvers.