I'm getting "segmentation fault" after that commit. well, I suspect you beleive that user _always_ has client cert, which is not true.
obviously, for preshared keys there''s no user cert, and for user/password auth there's also no user cert (which is our case) is Valgrind I see the following: https://community.openvpn.net/openvpn/ticket/644#ticket ==19381== Invalid read of size 8 ==19381== at 0x487454: tls_ctx_check_cert_time (ssl_openssl.c:368) ==19381== by 0x47F619: init_ssl (ssl.c:571) ==19381== by 0x420F45: do_init_crypto_tls_c1 (init.c:2160) ==19381== by 0x4211F6: do_init_crypto_tls (init.c:2240) ==19381== by 0x42197B: do_init_crypto (init.c:2428) ==19381== by 0x423C92: init_instance (init.c:3550) ==19381== by 0x423855: init_instance_handle_signals (init.c:3405) ==19381== by 0x443788: tunnel_point_to_point (openvpn.c:70) ==19381== by 0x443BAD: openvpn_main (openvpn.c:270) ==19381== by 0x443CC0: main (openvpn.c:345) ==19381== Address 0x0 is not stack'd, malloc'd or (recently) free'd does that mean "I'm trying to read a cert which does not exist" ? I investigated, I'm getting crash dumps since https://github.com/OpenVPN/openvpn/commit/091edd8e2996867447eeb665af957547aa8b3107 can you please fix that before 2.3.10 ? 2015-12-26 12:40 GMT+03:00 Steffan Karger <stef...@karger.me>: > On 26-12-15 10:19, Gert Doering wrote: > > On Wed, Dec 23, 2015 at 04:11:17PM +0100, Jan Just Keijser wrote: > >> I justed wanted to get back to this one one more time: attached is a > >> patch to ssl_openssl.c that works in combination with Steffan's patch to > >> check for expired certificates. This new patch-patch works on my CentOS > >> 6 (openssl 1.0.1e) box :) This patch was done against the v2.3.9 code > >> base and I have no clue how to get it into proper git formatting ;) > > > > Great discovery :-) - and it nicely works for me: > > > > Sat Dec 26 10:11:14 2015 OpenVPN 2.3_git > [git:ssl-expire/0f7319906a9dff58+] amd64-unknown-freebsd7.4 [SSL (OpenSSL)] > [LZO] [LZ4] [MH] [IPv6] built on Dec 26 2015 > > Sat Dec 26 10:11:14 2015 library versions: OpenSSL 0.9.8q 2 Dec 2010, > LZO 2.04 > > Sat Dec 26 10:11:16 2015 WARNING: Your certificate has expired! > > > > this is about as old as it gets - thanks a lot. Mogrified into a patch > > against git master with the SSL_free() moved to the right place attached > > below, for Steffan to ACK. > > ACK, much wanted functionality and code looks good. > > -Steffan > > > ------------------------------------------------------------------------------ > _______________________________________________ > Openvpn-devel mailing list > Openvpn-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openvpn-devel >
