Previously, client certificate expiry warnings would only visible in the
server log, and server certificate expiry warnings in the client log.
Both after a (failed) connection attempt. This patch adds a warning to
log when a users own certificate has expired (or is not yet valid) to ease
problem diagnosis / error reporting.
Note that this is just a warning, since on some systems (notably embedded
devices) there might be no correct time available.
Signed-off-by: Steffan Karger <stef...@karger.me>
---
src/openvpn/ssl.c | 3 +++
src/openvpn/ssl_backend.h | 9 +++++++++
src/openvpn/ssl_openssl.c | 27 +++++++++++++++++++++++++++
src/openvpn/ssl_polarssl.c | 14 ++++++++++++++
4 files changed, 53 insertions(+)
diff --git a/src/openvpn/ssl.c b/src/openvpn/ssl.c
index 887bd75..665fdd7 100644
--- a/src/openvpn/ssl.c
+++ b/src/openvpn/ssl.c
@@ -566,6 +566,9 @@ init_ssl (const struct options *options, struct
tls_root_ctx *new_ctx)
tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file,
options->extra_certs_file_inline);
}
+ /* Check certificate notBefore and notAfter */
+ tls_ctx_check_cert_time(new_ctx);
+
/* Once keys and cert are loaded, load ECDH parameters */
if (options->tls_server)
tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve);
diff --git a/src/openvpn/ssl_backend.h b/src/openvpn/ssl_backend.h
index 99930e5..ac28f5f 100644
--- a/src/openvpn/ssl_backend.h
+++ b/src/openvpn/ssl_backend.h
@@ -175,6 +175,15 @@ void tls_ctx_set_options (struct tls_root_ctx *ctx,
unsigned int ssl_flags);
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers);
/**
+ * Check our certificate notBefore and notAfter fields, and warn if the cert is
+ * either not yet valid or has expired. Note that this is a non-fatal error,
+ * since we compare against the system time, which might be incorrect.
+ *
+ * @param ctx TLS context to get our certificate from.
+ */
+void tls_ctx_check_cert_time (const struct tls_root_ctx *ctx);
+
+/**
* Load Diffie Hellman Parameters, and load them into the library-specific
* TLS context.
*
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 4430fec..2b74818 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -351,6 +351,33 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const
char *ciphers)
}
void
+tls_ctx_check_cert_time (const struct tls_root_ctx *ctx)
+{
+ int ret;
+ const X509 *cert = SSL_CTX_get0_certificate(ctx->ctx);
+
+ ret = X509_cmp_time (X509_get_notBefore (cert), NULL);
+ if (ret == 0)
+ {
+ msg (D_TLS_DEBUG_MED, "Failed to read certificate notBefore field.");
+ }
+ if (ret > 0)
+ {
+ msg (M_WARN, "WARNING: Your certificate is not yet valid!");
+ }
+
+ ret = X509_cmp_time (X509_get_notAfter (cert), NULL);
+ if (ret == 0)
+ {
+ msg (D_TLS_DEBUG_MED, "Failed to read certificate notAfter field.");
+ }
+ if (ret < 0)
+ {
+ msg (M_WARN, "WARNING: Your certificate has expired!");
+ }
+}
+
+void
tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file,
const char *dh_file_inline
)
diff --git a/src/openvpn/ssl_polarssl.c b/src/openvpn/ssl_polarssl.c
index bb58746..4782469 100644
--- a/src/openvpn/ssl_polarssl.c
+++ b/src/openvpn/ssl_polarssl.c
@@ -217,6 +217,20 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const
char *ciphers)
}
void
+tls_ctx_check_cert_time (const struct tls_root_ctx *ctx)
+{
+ if (x509_time_future (&ctx->crt_chain->valid_from))
+ {
+ msg (M_WARN, "WARNING: Your certificate is not yet valid!");
+ }
+
+ if (x509_time_expired (&ctx->crt_chain->valid_to))
+ {
+ msg (M_WARN, "WARNING: Your certificate has expired!");
+ }
+}
+
+void
tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file,
const char *dh_inline
)
--
2.5.0
