Last active
January 31, 2021 12:07
-
-
Save emschu/159e48f13631af09e678ad98c6d8b417 to your computer and use it in GitHub Desktop.
Generate resolver configuration with (dynamic) SPKI info for stubby/OpenWRT
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
import subprocess | |
# get spki of dns servers and generate a stubby compatilble configuration | |
# Never blindly trust the output! Verify it on your own by hand! | |
# configure DoT servers here | |
servers = { | |
1: {"ip": ["49.182.19.48"], "server": "dns2.digitalcourage.de", "port": "853" }, | |
2: {"ip": ["2a02:2970:1002::18"], "server": "dns2.digitalcourage.de", "port": "853" }, | |
} | |
ciphers = "option tls_ciphersuites 'TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256'\n\toption tls_min_version '1.2'" | |
openWrtConfig = [] | |
for i, server in servers.items(): | |
cmd = [] | |
cmd.append(r"openssl s_client -showcerts -connect %s:%s </dev/null 2>/dev/null|openssl x509 -outform PEM >mycert.pem" % (server["server"], server["port"])) | |
cmd.append(r" && openssl x509 -pubkey -noout -in mycert.pem | openssl pkey -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64; rm mycert.pem") | |
fullCmd = "".join(cmd) | |
# print("cmd:", fullCmd) | |
output = subprocess.run([fullCmd], check=False, shell=True, capture_output=True, text=True) | |
spki = output.stdout | |
print("SPKI for server '%s' and port '%s': sha256/%s" % (server["server"], server["port"], spki)) | |
config = "config resolver\n" | |
config = config + "\toption tls_port %s\n" % server["port"] | |
for ip in server["ip"]: | |
config = config + "\toption address '%s'\n" % ip | |
config = config + ("\toption tls_auth_name '%s'\n" % server["server"]) | |
spki = spki.split("\n")[0] | |
if str(spki) != "": | |
config = config + "\tlist spki 'sha256/%s'\n" % spki | |
if str(ciphers) != "": | |
config = config + "\t%s\n" % ciphers | |
openWrtConfig.append(config) | |
print("stubby resolver config for the router:\n%s" % "\n".join(openWrtConfig)) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment