netwatch-dns: enable DoH certificate verification...

... if a certificate is named in configuration.
author: Christian Hesse <mail@eworm.de> 2024-01-11 09:22:32 +0100
committer: Christian Hesse <mail@eworm.de> 2024-01-11 09:22:32 +0100
commit: 80db12a3e9c4f7fe14865d329de115068501b5a4 (patch)
tree: c015a21d188d11ad2bce24cf70a0c8818a7b79d8
parent: 44a8195c3763829c0efd41a32a434e3d2b8aa142 (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/netwatch-dns.rsc b/netwatch-dns.rsc
index bf0b24e..7709ce8 100644
--- a/netwatch-dns.rsc
+++ b/netwatch-dns.rsc
@@ -59,6 +59,7 @@ $ScriptLock $0;
 
 :local DohServer "";
 :local DohCert "";
+:local DohCertVerify [ /ip/dns/get verify-doh-cert ];
 :local DohCurrent [ /ip/dns/get use-doh-server ];
 
 :foreach Host in=[ /tool/netwatch/find where comment~"\\bdoh\\b" status="up" ] do={
@@ -81,12 +82,13 @@ $ScriptLock $0;
   :if ($DohServer != $DohCurrent) do={
     $LogPrintExit2 info $0 ("Updating DoH server: " . $DohServer) false;
     :if ([ :len $DohCert ] > 0) do={
+      :set DohCertVerify true;
       /ip/dns/set use-doh-server="";
       :if ([ $CertificateAvailable $DohCert ] = false) do={
         $LogPrintExit2 warning $0 ("Downloading certificate failed, trying without.") false;
       }
     }
-    /ip/dns/set use-doh-server=$DohServer;
+    /ip/dns/set use-doh-server=$DohServer verify-doh-cert=$DohCertVerify;
     /ip/dns/cache/flush;
   }
 } else={
author	Christian Hesse <mail@eworm.de>	2024-01-11 09:22:32 +0100
committer	Christian Hesse <mail@eworm.de>	2024-01-11 09:22:32 +0100
commit	80db12a3e9c4f7fe14865d329de115068501b5a4 (patch)
tree	c015a21d188d11ad2bce24cf70a0c8818a7b79d8
parent	44a8195c3763829c0efd41a32a434e3d2b8aa142 (diff)