As it appears commit
767e4c56becbfeea525e4695a810593f373883cd "Log
serial number of revoked certificate" hasn't survive refactoring
of CRL handling.
In most of situations admin of OpenVPN server needs to know which
particular certificate is used by client.
In the case when certificate is valid, environment variable can be
used for that but once it is revoked, no user scripts are invoked
so there is no way to get serial number, only subject is logged.
Let's log certificate serial in case it is revoked and additionally
log certificate depth & subject in crl-verify "dir" mode for better
consistency with crl file (non-dir) mode.
v2: log if serial is not availble, require it in crl-verify dir mode
Signed-off-by: Vladislav Grishenko <themiron@yandex-team.ru>
Acked-by: Lev Stipakov <lstipakov@gmail.com>
Message-Id: <
20200805102333.3109-1-themiron@yandex-team.ru>
URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg20642.html
Signed-off-by: Gert Doering <gert@greenie.muc.de>
* check peer cert against CRL directory
*/
static result_t
-verify_check_crl_dir(const char *crl_dir, openvpn_x509_cert_t *cert)
+verify_check_crl_dir(const char *crl_dir, openvpn_x509_cert_t *cert,
+ const char *subject, int cert_depth)
{
result_t ret = FAILURE;
char fn[256];
struct gc_arena gc = gc_new();
char *serial = backend_x509_get_serial(cert, &gc);
+ if (!serial)
+ {
+ msg(D_HANDSHAKE, "VERIFY CRL: depth=%d, %s, serial number is not available",
+ cert_depth, subject);
+ goto cleanup;
+ }
if (!openvpn_snprintf(fn, sizeof(fn), "%s%c%s", crl_dir, OS_SPECIFIC_DIRSEP, serial))
{
fd = platform_open(fn, O_RDONLY, 0);
if (fd >= 0)
{
- msg(D_HANDSHAKE, "VERIFY CRL: certificate serial number %s is revoked", serial);
+ msg(D_HANDSHAKE, "VERIFY CRL: depth=%d, %s, serial=%s is revoked",
+ cert_depth, subject, serial);
goto cleanup;
}
{
if (opt->ssl_flags & SSLF_CRL_VERIFY_DIR)
{
- if (SUCCESS != verify_check_crl_dir(opt->crl_file, cert))
+ if (SUCCESS != verify_check_crl_dir(opt->crl_file, cert, subject, cert_depth))
{
goto cleanup;
}
int ret = 0;
char errstr[512] = { 0 };
char *subject = x509_get_subject(cert, &gc);
+ char *serial = backend_x509_get_serial(cert, &gc);
ret = mbedtls_x509_crt_verify_info(errstr, sizeof(errstr)-1, "", *flags);
if (ret <= 0 && !openvpn_snprintf(errstr, sizeof(errstr),
if (subject)
{
- msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, subject=%s: %s",
- cert_depth, subject, errstr);
+ msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, subject=%s, serial=%s: %s",
+ cert_depth, subject, serial ? serial : "<not available>", errstr);
}
else
{
{
/* get the X509 name */
char *subject = x509_get_subject(current_cert, &gc);
+ char *serial = backend_x509_get_serial(current_cert, &gc);
if (!subject)
{
}
/* Remote site specified a certificate, but it's not correct */
- msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s",
+ msg(D_TLS_ERRORS, "VERIFY ERROR: depth=%d, error=%s: %s, serial=%s",
X509_STORE_CTX_get_error_depth(ctx),
X509_verify_cert_error_string(X509_STORE_CTX_get_error(ctx)),
- subject);
+ subject, serial ? serial : "<not available>");
ERR_clear_error();
projects / thirdparty / openvpn.git / commitdiff
