From a219dde75e9cc1f508f34a35240bc2f83c214358 Mon Sep 17 00:00:00 2001
From: Shulhan <m.shulhan@gmail.com>
Date: Sat, 7 Dec 2019 01:19:10 +0700
Subject: dns: check for bad certificate when reading DoT request

While at it, read the request inside loop to minimize calling newRequest
when recv is timeout.
---
 lib/dns/server.go | 28 ++++++++++++++++++----------
 1 file changed, 18 insertions(+), 10 deletions(-)

diff --git a/lib/dns/server.go b/lib/dns/server.go
index 821af38f..55588193 100644
--- a/lib/dns/server.go
+++ b/lib/dns/server.go
@@ -615,20 +615,28 @@ func (srv *Server) incForwarder() {
 }
 
 func (srv *Server) serveTCPClient(cl *TCPClient, kind connType) {
+	var (
+		n   int
+		err error
+	)
 	for {
 		req := newRequest()
 
-		n, err := cl.recv(req.message)
-		if err != nil {
-			if err == io.EOF {
+		for {
+			n, err = cl.recv(req.message)
+			if err != nil {
+				if err == io.EOF {
+					goto out
+				}
+				if strings.Contains(err.Error(), "bad certificate") {
+					goto out
+				}
+				continue
+			}
+			if n == 0 || len(req.message.Packet) == 0 {
 				goto out
 			}
-			log.Printf("serveTCPClient: %s: %s",
-				connTypeNames[kind], err.Error())
-			continue
-		}
-		if n == 0 || len(req.message.Packet) == 0 {
-			goto out
+			break
 		}
 
 		req.kind = kind
@@ -644,7 +652,7 @@ func (srv *Server) serveTCPClient(cl *TCPClient, kind connType) {
 		srv.requestq <- req
 	}
 out:
-	err := cl.conn.Close()
+	err = cl.conn.Close()
 	if err != nil {
 		log.Printf("serveTCPClient: conn.Close: %s: %s",
 			connTypeNames[kind], err.Error())
-- 
cgit v1.3