git.ipfire.org Git - thirdparty/openvpn.git/commit

author	Steffan Karger <steffan@karger.me>
	Sat, 19 Dec 2015 11:39:29 +0000 (12:39 +0100)
committer	Gert Doering <gert@greenie.muc.de>
	Sat, 19 Dec 2015 13:25:00 +0000 (14:25 +0100)
commit	dfd940bb008feb2fe981ceab3ed66fdb3cf21bdb
tree	614b6d400bd3ea08c722cd7eb088a93fca6d30b7	tree
parent	6eec6a0f314aa8e4dd97ef4502ae7726af19794d	commit \| diff

Warn user if their certificate has expired

Previously, client certificate expiry warnings would only visible in the
server log, and server certificate expiry warnings in the client log.
Both after a (failed) connection attempt.  This patch adds a warning to
log when a users own certificate has expired (or is not yet valid) to ease
problem diagnosis / error reporting.

Note that this is just a warning, since on some systems (notably embedded
devices) there might be no correct time available.

The SSL_CTX_get0_certificate() function is available in OpenSSL 1.0.2+
only.  Older versions seem to not have a useful alternative, and the
certificate reference we need is hidden in an opaque struct.  The
remaining option would then be to add extra workaround code for the select
group of people that do use an up-to-date openvpn, but do not update their
openssl.  I don't think that's worth it.  So just disable the code for
older openssl versions.

(This is a combination of commits 091edd8e and 644f2cdd from the master
branch, adjusted to apply to the release/2.3 branch cleanly)

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450525169-12961-2-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10855
Signed-off-by: Gert Doering <gert@greenie.muc.de>

src/openvpn/ssl.c		diff \| blob \| blame \| history
src/openvpn/ssl_backend.h		diff \| blob \| blame \| history
src/openvpn/ssl_openssl.c		diff \| blob \| blame \| history
src/openvpn/ssl_polarssl.c		diff \| blob \| blame \| history