GitList

Browse code

Warn user if their certificate has expired

Previously, client certificate expiry warnings would only visible in the
server log, and server certificate expiry warnings in the client log.
Both after a (failed) connection attempt. This patch adds a warning to
log when a users own certificate has expired (or is not yet valid) to ease
problem diagnosis / error reporting.

Note that this is just a warning, since on some systems (notably embedded
devices) there might be no correct time available.

Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450123758-31641-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10794
Signed-off-by: Gert Doering <gert@greenie.muc.de>

Steffan Karger authored on 2015/12/15 05:09:18
Showing 4 changed files

src/openvpn/ssl.c index 887bd75..665fdd7 100644
src/openvpn/ssl_backend.h index 99930e5..ac28f5f 100644
src/openvpn/ssl_openssl.c index 4430fec..2b74818 100644
src/openvpn/ssl_polarssl.c index cfdeb52..d7a40d7 100644

src/openvpn/ssl.c

History View file @ 091edd8

@@ -566,6 +566,9 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx)
                            tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file, options->extra_certs_file_inline);
+                         }
                     +  /* Check certificate notBefore and notAfter */
                     +  tls_ctx_check_cert_time(new_ctx);
+                    +
                        /* Once keys and cert are loaded, load ECDH parameters */
                        if (options->tls_server)
                          tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve);

src/openvpn/ssl_backend.h

History View file @ 091edd8

@@ -175,6 +175,15 @@ void tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags);
                      void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers);
                      /**
                     + * Check our certificate notBefore and notAfter fields, and warn if the cert is
                     + * either not yet valid or has expired.  Note that this is a non-fatal error,
                     + * since we compare against the system time, which might be incorrect.
                     + *
                     + * @param ctx		TLS context to get our certificate from.
                     + */
                     +void tls_ctx_check_cert_time (const struct tls_root_ctx *ctx);
+                    +
                     +/**
                       * Load Diffie Hellman Parameters, and load them into the library-specific
                       * TLS context.
+                      *

src/openvpn/ssl_openssl.c

History View file @ 091edd8

@@ -351,6 +351,33 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
+                     }
                      void
                     +tls_ctx_check_cert_time (const struct tls_root_ctx *ctx)
                     +{
                     +  int ret;
                     +  const X509 *cert = SSL_CTX_get0_certificate(ctx->ctx);
+                    +
                     +  ret = X509_cmp_time (X509_get_notBefore (cert), NULL);
                     +  if (ret == 0)
                     +    {
                     +      msg (D_TLS_DEBUG_MED, "Failed to read certificate notBefore field.");
                     +    }
                     +  if (ret > 0)
                     +    {
                     +      msg (M_WARN, "WARNING: Your certificate is not yet valid!");
                     +    }
+                    +
                     +  ret = X509_cmp_time (X509_get_notAfter (cert), NULL);
                     +  if (ret == 0)
                     +    {
                     +      msg (D_TLS_DEBUG_MED, "Failed to read certificate notAfter field.");
                     +    }
                     +  if (ret < 0)
                     +    {
                     +      msg (M_WARN, "WARNING: Your certificate has expired!");
                     +    }
                     +}
+                    +
                     +void
                      tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file,
                          const char *dh_file_inline
+                         )

src/openvpn/ssl_polarssl.c

History View file @ 091edd8

@@ -216,6 +216,20 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
+                     }
                      void
                     +tls_ctx_check_cert_time (const struct tls_root_ctx *ctx)
                     +{
                     +  if (x509_time_future (&ctx->crt_chain->valid_from))
                     +    {
                     +      msg (M_WARN, "WARNING: Your certificate is not yet valid!");
                     +    }
+                    +
                     +  if (x509_time_expired (&ctx->crt_chain->valid_to))
                     +    {
                     +      msg (M_WARN, "WARNING: Your certificate has expired!");
                     +    }
                     +}
+                    +
                     +void
                      tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file,
                          const char *dh_inline
+                         )