Unbound DNS over TLS handshake fail ambiguity

[commandline-be]

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

• [ v] I have read the contributing guide lines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
• [ ]v I am convinced that my issue is new after having checked both open and closed issues at https://github.com/opnsense/core/issues?q=is%3Aissue

Is your feature request related to a problem? Please describe.

Use of DNS over TLS fails during SSL-init phase without clear mention of the reason why. When a DoT service uses Let's Encrypt and does not renewe timely it mentions the handshake failed without expiration notice.

Describe the solution you like

Clearly state the validation check failure such as 'certificate expiration' Offer an option to ignore let's encrypt failure once for a period of N (hours/days/weeks)

In addition permit to prioritise DoT servers in the custom forwarding list.

Describe alternatives you considered

no alternatives appear to be available

Additional context verified ssl handschake issue using

openssl s_client -connect <DoT IP here>:853 | openssl x509 -noout -dates

[OPNsense-bot]

Thank you for creating an issue. Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

The easiest option to gain traction is to close this ticket and open a new one using one of our templates.

[OPNsense-bot]

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.