From: Steffan Karger <steffan@karger.me>
Date: Mon, 14 Dec 2015 22:14:45 +0000 (+0100)
Subject: Disable certificate notBefore/notAfter sanity check on OpenSSL < 1.0.2
X-Git-Tag: v2.4_alpha1~171
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=644f2cdd13f49cd374aebc1fc506474104aac372;p=thirdparty%2Fopenvpn.git

Disable certificate notBefore/notAfter sanity check on OpenSSL < 1.0.2

The SSL_CTX_get0_certificate() function I used in 091edd8e is available in
OpenSSL 1.0.2+ only.  Older versions seem to not have a useful alternative.
The remaining option would then be to create a cache for our parsed
certificate, but that would mean adding more struct members and code for
the select group of people that do use an up-to-date openvpn, but do not
update their openssl.  I don't think that's worth it.  So just disable the
code for older openssl versions.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450131285-30182-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10802
Signed-off-by: Gert Doering <gert@greenie.muc.de>
---

diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 2b74818ba..4792b088c 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -353,6 +353,7 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
 void
 tls_ctx_check_cert_time (const struct tls_root_ctx *ctx)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
   int ret;
   const X509 *cert = SSL_CTX_get0_certificate(ctx->ctx);
 
@@ -375,6 +376,7 @@ tls_ctx_check_cert_time (const struct tls_root_ctx *ctx)
     {
       msg (M_WARN, "WARNING: Your certificate has expired!");
     }
+#endif
 }
 
 void