From: Jan Just Keijser <janjust@nikhef.nl>
Date: Sat, 26 Dec 2015 09:15:04 +0000 (+0100)
Subject: Make certificate expiry warning patch (091edd8e299686) work on OpenSSL 1.0.1 and... 
X-Git-Tag: v2.4_alpha1~167
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0e591a2fce325e2b91d429ea18aa6ed383330383;p=thirdparty%2Fopenvpn.git

Make certificate expiry warning patch (091edd8e299686) work on OpenSSL 1.0.1 and earlier.

Integrating feedback from Steffan Karger, tested by Gert Doering on
FreeBSD 7.4 / OpenSSL 0.9.8.

Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Steffan Karger <steffan.karger@fox-it.com>
Message-Id: <20151226091900.GU24952@greenie.muc.de>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10881
---

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 4792b088c..0a7f14b0b 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -353,9 +353,17 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
 void
 tls_ctx_check_cert_time (const struct tls_root_ctx *ctx)
 {
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
   int ret;
-  const X509 *cert = SSL_CTX_get0_certificate(ctx->ctx);
+  const X509 *cert;
+
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+  /* OpenSSL 1.0.2 and up */
+  cert = SSL_CTX_get0_certificate(ctx->ctx);
+#else
+  /* OpenSSL 1.0.1 and earlier need an SSL object to get at the certificate */
+  SSL *ssl = SSL_new(ctx->ctx);
+  cert = SSL_get_certificate(ssl);
+#endif
 
   ret = X509_cmp_time (X509_get_notBefore (cert), NULL);
   if (ret == 0)
@@ -376,6 +384,8 @@ tls_ctx_check_cert_time (const struct tls_root_ctx *ctx)
     {
       msg (M_WARN, "WARNING: Your certificate has expired!");
     }
+#if OPENSSL_VERSION_NUMBER < 0x10002000L
+  SSL_free(ssl);
 #endif
 }