Reload expired client certificates

[mjdiffy]

When the client credentials used for mutual authentication expire, all requests
to a DoH server which enforces validitiy will fail. To mitigate this, we can
try to reload the existing credentials from disk. This assumes that the
credentials have been rotated outside of the dnscrypt-proxy process and thus a
reload will pick up the newest versions.

The simplest way to do this is to simply rebuild the transport upon receiving
an error which contains the string "bad certificate".

Resolves #2114

[mjdiffy]

To test my changes, I no longer had a mutually-authenticated DoH server which does enforce certificate validity, so I pointed it to another random HTTPS endpoint which did. However, it doesn't speak DoH, so I didn't expect valid outputs when it got there:

➜  dnscrypt-proxy git:(master) ✗ go run . --config ~/dnscrypt-proxy.toml
[2022-06-08 15:27:37] [NOTICE] dnscrypt-proxy 2.1.1
[2022-06-08 15:27:37] [NOTICE] Enabling TLS authentication
Reload expired client certificates
[2022-06-08 15:27:37] [NOTICE] Now listening to 127.0.0.1:53443 [UDP]
[2022-06-08 15:27:37] [NOTICE] Now listening to 127.0.0.1:53443 [TCP]
[2022-06-08 15:27:37] [NOTICE] Firefox workaround initialized
[2022-06-08 15:27:38] [WARNING] TLS certificate failure - Check the validity of the client certificate; reloading existing certificate
[2022-06-08 15:27:38] [WARNING] TLS certificate failure - Check the validity of the client certificate; reloading existing certificate
[2022-06-08 15:27:38] [WARNING] TLS certificate failure - Check the validity of the client certificate; reloading existing certificate
[2022-06-08 15:27:38] [WARNING] TLS certificate failure - Check the validity of the client certificate; reloading existing certificate
[2022-06-08 15:27:38] [ERROR] Get "https://<redacted>": remote error: tls: bad certificate
[2022-06-08 15:27:38] [NOTICE] dnscrypt-proxy is waiting for at least one server to be reachable
[2022-06-08 15:27:48] [WARNING] TLS certificate failure - Check the validity of the client certificate; reloading existing certificate
[2022-06-08 15:27:48] [WARNING] TLS certificate failure - Check the validity of the client certificate; reloading existing certificate
[2022-06-08 15:27:48] [WARNING] TLS certificate failure - Check the validity of the client certificate; reloading existing certificate
[2022-06-08 15:27:48] [WARNING] TLS certificate failure - Check the validity of the client certificate; reloading existing certificate
[2022-06-08 15:27:58] [WARNING] TLS certificate failure - Check the validity of the client certificate; reloading existing certificate

At this point, I flipped the certificate file to a non-expired version, and it reloaded properly, but now I had the issue of pointing at a non-DoH server, but at least what I was after worked!

[2022-06-08 15:27:58] [WARNING] [dohproxy_v6]: dns: bad rdata
[2022-06-08 15:27:59] [WARNING] [dohproxy_v4]: dns: bad rdata
[2022-06-08 15:28:09] [WARNING] [dohproxy_v6]: dns: bad rdata
[2022-06-08 15:28:09] [WARNING] [dohproxy_v4]: dns: bad rdata
# ...

[jedisct1]

Thanks!

It may work as a quick hack, but this is not something that can be merged as-is.

If a single server has a permanent certificate error, that would cause the entire configuration to be reloaded every time it gets a query. Not great if more than one server is in use, and that can even be considered a remotely exploitable security issue.

[jedisct1]

Also, the same issue may affect ODoH relays.