From: Steffan Karger Date: Mon, 14 Dec 2015 20:09:18 +0000 (+0100) Subject: Warn user if their certificate has expired X-Git-Tag: v2.4_alpha1~172 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=091edd8e2996867447eeb665af957547aa8b3107;p=thirdparty%2Fopenvpn.git Warn user if their certificate has expired Previously, client certificate expiry warnings would only visible in the server log, and server certificate expiry warnings in the client log. Both after a (failed) connection attempt. This patch adds a warning to log when a users own certificate has expired (or is not yet valid) to ease problem diagnosis / error reporting. Note that this is just a warning, since on some systems (notably embedded devices) there might be no correct time available. Signed-off-by: Steffan Karger Acked-by: Gert Doering Message-Id: <1450123758-31641-1-git-send-email-steffan@karger.me> URL: http://article.gmane.org/gmane.network.openvpn.devel/10794 Signed-off-by: Gert Doering --- diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c index 887bd75e6..665fdd7d1 100644 --- a/src/openvpn/ssl.c +++ b/src/openvpn/ssl.c @@ -566,6 +566,9 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx) tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file, options->extra_certs_file_inline); } + /* Check certificate notBefore and notAfter */ + tls_ctx_check_cert_time(new_ctx); + /* Once keys and cert are loaded, load ECDH parameters */ if (options->tls_server) tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve); diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h index 99930e586..ac28f5fef 100644 --- a/src/openvpn/ssl_backend.h +++ b/src/openvpn/ssl_backend.h @@ -174,6 +174,15 @@ void tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags); */ void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers); +/** + * Check our certificate notBefore and notAfter fields, and warn if the cert is + * either not yet valid or has expired. Note that this is a non-fatal error, + * since we compare against the system time, which might be incorrect. + * + * @param ctx TLS context to get our certificate from. + */ +void tls_ctx_check_cert_time (const struct tls_root_ctx *ctx); + /** * Load Diffie Hellman Parameters, and load them into the library-specific * TLS context. diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 4430fec2d..2b74818ba 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -350,6 +350,33 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) crypto_msg (M_FATAL, "Failed to set restricted TLS cipher list: %s", openssl_ciphers); } +void +tls_ctx_check_cert_time (const struct tls_root_ctx *ctx) +{ + int ret; + const X509 *cert = SSL_CTX_get0_certificate(ctx->ctx); + + ret = X509_cmp_time (X509_get_notBefore (cert), NULL); + if (ret == 0) + { + msg (D_TLS_DEBUG_MED, "Failed to read certificate notBefore field."); + } + if (ret > 0) + { + msg (M_WARN, "WARNING: Your certificate is not yet valid!"); + } + + ret = X509_cmp_time (X509_get_notAfter (cert), NULL); + if (ret == 0) + { + msg (D_TLS_DEBUG_MED, "Failed to read certificate notAfter field."); + } + if (ret < 0) + { + msg (M_WARN, "WARNING: Your certificate has expired!"); + } +} + void tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file, const char *dh_file_inline diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c index cfdeb5215..d7a40d772 100644 --- a/src/openvpn/ssl_polarssl.c +++ b/src/openvpn/ssl_polarssl.c @@ -215,6 +215,20 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) free(tmp_ciphers_orig); } +void +tls_ctx_check_cert_time (const struct tls_root_ctx *ctx) +{ + if (x509_time_future (&ctx->crt_chain->valid_from)) + { + msg (M_WARN, "WARNING: Your certificate is not yet valid!"); + } + + if (x509_time_expired (&ctx->crt_chain->valid_to)) + { + msg (M_WARN, "WARNING: Your certificate has expired!"); + } +} + void tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file, const char *dh_inline