On 2009.11.11 at 09:40:59 +0100, David Sommerseth wrote: > On 10/11/09 17:16, Till Maas wrote: > > I would like to get a notification in case a client certificate is used > > for a connection to an OpenVPN server, that is about to expire soon. Is > > there currently a way to do this? I looked into the tls-verify hook, but > > according to the documentation, only the Subject line of a certificate > > is available and not the validity. Is there maybe a way to log the > > expiration dates? > > I don't think this is possible without patching openvpn to put these > values into some environment variables for the --tls-verify hook. I've > done something similar in regards to the SHA1 fingerprint for my own > project (I have had an OpenVPN patch pending since RC7). But I'd be > willing to carry such a feature in my eurephia patch for OpenVPN, as > that sounds very useful.
Apache/mod_ssl does export entire certificate in the PEM format as environment variable. So, may be openvpn sould do the same? Now various people patching openvpn to add some values: you've added sha1 fingerprint, I've added certificate extension subjectAltName, et cetera, et cetera. But if entire certificate would be available, it would be possible to extract any information from it (or hash it with any algorithm) from the script using openssl command line utility or some binding or OpenSSL libraries to the choosen script language.
