Previously, client certificate expiry warnings would only visible in the
server log, and server certificate expiry warnings in the client log.
Both after a (failed) connection attempt. This patch adds a warning to
log when a users own certificate has expired (or is not yet valid) to ease
problem diagnosis / error reporting.
Note that this is just a warning, since on some systems (notably embedded
devices) there might be no correct time available.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <
1450123758-31641-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10794
Signed-off-by: Gert Doering <gert@greenie.muc.de>
tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file, options->extra_certs_file_inline);
}
+ /* Check certificate notBefore and notAfter */
+ tls_ctx_check_cert_time(new_ctx);
+
/* Once keys and cert are loaded, load ECDH parameters */
if (options->tls_server)
tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve);
*/
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers);
+/**
+ * Check our certificate notBefore and notAfter fields, and warn if the cert is
+ * either not yet valid or has expired. Note that this is a non-fatal error,
+ * since we compare against the system time, which might be incorrect.
+ *
+ * @param ctx TLS context to get our certificate from.
+ */
+void tls_ctx_check_cert_time (const struct tls_root_ctx *ctx);
+
/**
* Load Diffie Hellman Parameters, and load them into the library-specific
* TLS context.
crypto_msg (M_FATAL, "Failed to set restricted TLS cipher list: %s", openssl_ciphers);
}
+void
+tls_ctx_check_cert_time (const struct tls_root_ctx *ctx)
+{
+ int ret;
+ const X509 *cert = SSL_CTX_get0_certificate(ctx->ctx);
+
+ ret = X509_cmp_time (X509_get_notBefore (cert), NULL);
+ if (ret == 0)
+ {
+ msg (D_TLS_DEBUG_MED, "Failed to read certificate notBefore field.");
+ }
+ if (ret > 0)
+ {
+ msg (M_WARN, "WARNING: Your certificate is not yet valid!");
+ }
+
+ ret = X509_cmp_time (X509_get_notAfter (cert), NULL);
+ if (ret == 0)
+ {
+ msg (D_TLS_DEBUG_MED, "Failed to read certificate notAfter field.");
+ }
+ if (ret < 0)
+ {
+ msg (M_WARN, "WARNING: Your certificate has expired!");
+ }
+}
+
void
tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file,
const char *dh_file_inline
free(tmp_ciphers_orig);
}
+void
+tls_ctx_check_cert_time (const struct tls_root_ctx *ctx)
+{
+ if (x509_time_future (&ctx->crt_chain->valid_from))
+ {
+ msg (M_WARN, "WARNING: Your certificate is not yet valid!");
+ }
+
+ if (x509_time_expired (&ctx->crt_chain->valid_to))
+ {
+ msg (M_WARN, "WARNING: Your certificate has expired!");
+ }
+}
+
void
tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file,
const char *dh_inline
projects / thirdparty / openvpn.git / commitdiff
