Hi, On Tue, Dec 15, 2015 at 9:42 AM, Jan Just Keijser <janj...@nikhef.nl> wrote: > On 14/12/15 23:14, Steffan Karger wrote: >> The SSL_CTX_get0_certificate() function I used in 091edd8e is available in >> OpenSSL 1.0.2+ only. Older versions seem to not have a useful >> alternative. >> The remaining option would then be to create a cache for our parsed >> certificate, but that would mean adding more struct members and code for >> the select group of people that do use an up-to-date openvpn, but do not >> update their openssl. I don't think that's worth it. So just disable the >> code for older openssl versions. > > I have code lying around for checking certificate dates for openssl v0.9.7+ > ; you can find it here: > https://www.nikhef.nl/~janjust/proxy-verify/ > > the function of interest is grid_asn1TimeToTimeT ; it was/is on my TODO list > to convert this code into a similar patch - perhaps we can integrate the > two?
But before we extract the time from the certificate, we need to either cache our own x509 certificate (in the certificate file reading code, the pkcs11 code, the management-external-key code, the ms crapi code, etc...) or find a way to extract our own x509 cert from an SSL_CTX (which SSL_CTX_get0_certificate() does, since from that part of the code it *can* peek into the opaque 'struct cert_st'). Looking at the mess, I still think it is just not worth the extra code. But if you (or someone else) manage to find a clean and simple way to perform the check pre-1.0.2, I will gladly review a patch :) -Steffan
