Log serial number of revoked certificate

In most of situations admin of OpenVPN server needs to know which
particular certificate is used by client.
In the case when certificate is OK, environment variable can be used for
that but once it is revoked, no user scripts are invoked so there is
no way to get serial number: only subject is printed in logs.

So we log certificate serial in case it is revoked.

Sponsored-by: Yandex LLC
Signed-off-by: Boris Lytochkin <lytboris@yandex-team.ru>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <55FEBF7E.3010209@yandex-team.ru>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10154

Signed-off-by: Gert Doering <gert@greenie.muc.de>

diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 81b2e38da81f0785a6284fb7c2a74ae912d84aa7..bf535227d500dc8cc2f5388501fac5d7c5d17271 100644 (file)
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -585,6 +585,8 @@ x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject)
   BIO *in=NULL;
   int n,i;
   result_t retval = FAILURE;
+  struct gc_arena gc = gc_new();
+  char *serial;
 
   in = BIO_new_file (crl_file, "r");
 
@@ -609,7 +611,8 @@ x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject)
   for (i = 0; i < n; i++) {
     revoked = (X509_REVOKED *)sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
     if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(peer_cert)) == 0) {
-      msg (D_HANDSHAKE, "CRL CHECK FAILED: %s is REVOKED",subject);
+      serial = backend_x509_get_serial_hex(peer_cert, &gc);
+      msg (D_HANDSHAKE, "CRL CHECK FAILED: %s (serial %s) is REVOKED", subject, (serial ? serial : "NOT AVAILABLE"));
       goto end;
     }
   }
@@ -618,6 +621,7 @@ x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject)
   msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject);
 
 end:
+  gc_free(&gc);
   BIO_free(in);
   if (crl)
     X509_CRL_free (crl);

diff --git a/src/openvpn/ssl_verify_polarssl.c b/src/openvpn/ssl_verify_polarssl.c
index 2edf21dd3dd18c6f755e01725c28efed3b68838f..4852243e2403eea0eb2441a1205c7fed02386971 100644 (file)
--- a/src/openvpn/ssl_verify_polarssl.c
+++ b/src/openvpn/ssl_verify_polarssl.c
@@ -373,6 +373,8 @@ x509_verify_crl(const char *crl_file, x509_crt *cert, const char *subject)
 {
   result_t retval = FAILURE;
   x509_crl crl = {0};
+  struct gc_arena gc = gc_new();
+  char *serial;
 
   int polar_retval = x509_crl_parse_file(&crl, crl_file);
   if (polar_retval != 0)
@@ -394,7 +396,8 @@ x509_verify_crl(const char *crl_file, x509_crt *cert, const char *subject)
 
   if (0 != x509_crt_revoked(cert, &crl))
     {
-      msg (D_HANDSHAKE, "CRL CHECK FAILED: %s is REVOKED", subject);
+      serial = backend_x509_get_serial_hex(cert, &gc);
+      msg (D_HANDSHAKE, "CRL CHECK FAILED: %s (serial %s) is REVOKED", subject, (serial ? serial : "NOT AVAILABLE"));
       goto end;
     }
 
@@ -402,6 +405,7 @@ x509_verify_crl(const char *crl_file, x509_crt *cert, const char *subject)
   msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject);
 
 end:
+  gc_free(&gc);
   x509_crl_free(&crl);
   return retval;
 }