DNSCrypt
Which hash to use in the sdns address for DoH
I'm a little confused which hash I should use and fill in here.
When I do .\dnscrypt-proxy -show-certs with the hash-less sdns address as the only server I get 3 and it says here that I should use the last one, but somewhere else that I should use the LE R3 one.
This is the output of .\dnscrypt-proxy -show-certs
[2023-09-23 16:12:44] [NOTICE] Advertised cert: [CN=example.com] [337e3314f612e8e6d8e450383e2c446cd4c9defadef7059f8a1324e6e0c27be2] [2023-09-23 16:12:44] [NOTICE] Advertised cert: [CN=R3,O=Let's Encrypt,C=US] [444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce] [2023-09-23 16:12:44] [NOTICE] Advertised cert: [CN=ISRG Root X1,O=Internet Security Research Group,C=US] [11b102e6b1f63e528984d6025f32b138241fc88bbd7519574d70c9832d53e1e8]
Hi!
If the cert in the stamp is found, no matter at which position, validation will pass.
You should pick a cert that is not going to change too frequently.
In your case, there are two certs:
- The actual Let's Encrypt one. It's the CA, it's not going to change frequently.
- The ISRG cert, that signs the Let's Encrypt one. It's a hack for very old operating systems that don't know about Let's Encrypt as a CA.
If the stamp has the Let's Encrypt hash, the domain needs to be signed by Let's Encrypt.
If the stamp has the ISRG hash, the domain can be signed by Let's Encrypt, or anything ISRG is also signing, that can be completely unrelated to Let's Encrypt.
TLDR: the latter is a superset of the former, so for that special case, using the former, which is that actual CA, is safer.
Aha, thanks for your explanation! So, to be clear, I use 444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce as hash ideally.
Unrelated: meganerd-ipv6 (dnscrypt) seems to be having a certificate issue right now.
Unrelated:
meganerd-ipv6(dnscrypt) seems to be having a certificate issue right now.
Strange. Indeed. Will make a PR.