dns: check for bad certificate when reading DoT request

While at it, read the request inside loop to minimize calling newRequest
when recv is timeout.

1 files changed, 18 insertions, 10 deletions

diff --git a/lib/dns/server.go b/lib/dns/server.go
index 821af38f..55588193 100644
--- a/lib/dns/server.go
+++ b/lib/dns/server.go
@@ -615,20 +615,28 @@ func (srv *Server) incForwarder() {
 }
 
 func (srv *Server) serveTCPClient(cl *TCPClient, kind connType) {
+	var (
+		n   int
+		err error
+	)
 	for {
 		req := newRequest()
 
-		n, err := cl.recv(req.message)
-		if err != nil {
-			if err == io.EOF {
+		for {
+			n, err = cl.recv(req.message)
+			if err != nil {
+				if err == io.EOF {
+					goto out
+				}
+				if strings.Contains(err.Error(), "bad certificate") {
+					goto out
+				}
+				continue
+			}
+			if n == 0 || len(req.message.Packet) == 0 {
 				goto out
 			}
-			log.Printf("serveTCPClient: %s: %s",
-				connTypeNames[kind], err.Error())
-			continue
-		}
-		if n == 0 || len(req.message.Packet) == 0 {
-			goto out
+			break
 		}
 
 		req.kind = kind
@@ -644,7 +652,7 @@ func (srv *Server) serveTCPClient(cl *TCPClient, kind connType) {
 		srv.requestq <- req
 	}
 out:
-	err := cl.conn.Close()
+	err = cl.conn.Close()
 	if err != nil {
 		log.Printf("serveTCPClient: conn.Close: %s: %s",
 			connTypeNames[kind], err.Error())