From 80db12a3e9c4f7fe14865d329de115068501b5a4 Mon Sep 17 00:00:00 2001
From: Christian Hesse <mail@eworm.de>
Date: Thu, 11 Jan 2024 09:22:32 +0100
Subject: netwatch-dns: enable DoH certificate verification...

... if a certificate is named in configuration.
---
 netwatch-dns.rsc | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'netwatch-dns.rsc')

diff --git a/netwatch-dns.rsc b/netwatch-dns.rsc
index bf0b24e..7709ce8 100644
--- a/netwatch-dns.rsc
+++ b/netwatch-dns.rsc
@@ -59,6 +59,7 @@ $ScriptLock $0;
 
 :local DohServer "";
 :local DohCert "";
+:local DohCertVerify [ /ip/dns/get verify-doh-cert ];
 :local DohCurrent [ /ip/dns/get use-doh-server ];
 
 :foreach Host in=[ /tool/netwatch/find where comment~"\\bdoh\\b" status="up" ] do={
@@ -81,12 +82,13 @@ $ScriptLock $0;
   :if ($DohServer != $DohCurrent) do={
     $LogPrintExit2 info $0 ("Updating DoH server: " . $DohServer) false;
     :if ([ :len $DohCert ] > 0) do={
+      :set DohCertVerify true;
       /ip/dns/set use-doh-server="";
       :if ([ $CertificateAvailable $DohCert ] = false) do={
         $LogPrintExit2 warning $0 ("Downloading certificate failed, trying without.") false;
       }
     }
-    /ip/dns/set use-doh-server=$DohServer;
+    /ip/dns/set use-doh-server=$DohServer verify-doh-cert=$DohCertVerify;
     /ip/dns/cache/flush;
   }
 } else={
-- 
cgit v1.2.3-54-g00ecf