Previously, client certificate expiry warnings would only visible in the
server log, and server certificate expiry warnings in the client log.
Both after a (failed) connection attempt. This patch adds a warning to
log when a users own certificate has expired (or is not yet valid) to ease
problem diagnosis / error reporting.
Note that this is just a warning, since on some systems (notably embedded
devices) there might be no correct time available.
Signed-off-by: Steffan Karger <steffan@karger.me>
Acked-by: Gert Doering <gert@greenie.muc.de>
Message-Id: <1450123758-31641-1-git-send-email-steffan@karger.me>
URL: http://article.gmane.org/gmane.network.openvpn.devel/10794
Signed-off-by: Gert Doering <gert@greenie.muc.de>
... | ... |
@@ -566,6 +566,9 @@ init_ssl (const struct options *options, struct tls_root_ctx *new_ctx) |
566 | 566 |
tls_ctx_load_extra_certs(new_ctx, options->extra_certs_file, options->extra_certs_file_inline); |
567 | 567 |
} |
568 | 568 |
|
569 |
+ /* Check certificate notBefore and notAfter */ |
|
570 |
+ tls_ctx_check_cert_time(new_ctx); |
|
571 |
+ |
|
569 | 572 |
/* Once keys and cert are loaded, load ECDH parameters */ |
570 | 573 |
if (options->tls_server) |
571 | 574 |
tls_ctx_load_ecdh_params(new_ctx, options->ecdh_curve); |
... | ... |
@@ -175,6 +175,15 @@ void tls_ctx_set_options (struct tls_root_ctx *ctx, unsigned int ssl_flags); |
175 | 175 |
void tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers); |
176 | 176 |
|
177 | 177 |
/** |
178 |
+ * Check our certificate notBefore and notAfter fields, and warn if the cert is |
|
179 |
+ * either not yet valid or has expired. Note that this is a non-fatal error, |
|
180 |
+ * since we compare against the system time, which might be incorrect. |
|
181 |
+ * |
|
182 |
+ * @param ctx TLS context to get our certificate from. |
|
183 |
+ */ |
|
184 |
+void tls_ctx_check_cert_time (const struct tls_root_ctx *ctx); |
|
185 |
+ |
|
186 |
+/** |
|
178 | 187 |
* Load Diffie Hellman Parameters, and load them into the library-specific |
179 | 188 |
* TLS context. |
180 | 189 |
* |
... | ... |
@@ -351,6 +351,33 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) |
351 | 351 |
} |
352 | 352 |
|
353 | 353 |
void |
354 |
+tls_ctx_check_cert_time (const struct tls_root_ctx *ctx) |
|
355 |
+{ |
|
356 |
+ int ret; |
|
357 |
+ const X509 *cert = SSL_CTX_get0_certificate(ctx->ctx); |
|
358 |
+ |
|
359 |
+ ret = X509_cmp_time (X509_get_notBefore (cert), NULL); |
|
360 |
+ if (ret == 0) |
|
361 |
+ { |
|
362 |
+ msg (D_TLS_DEBUG_MED, "Failed to read certificate notBefore field."); |
|
363 |
+ } |
|
364 |
+ if (ret > 0) |
|
365 |
+ { |
|
366 |
+ msg (M_WARN, "WARNING: Your certificate is not yet valid!"); |
|
367 |
+ } |
|
368 |
+ |
|
369 |
+ ret = X509_cmp_time (X509_get_notAfter (cert), NULL); |
|
370 |
+ if (ret == 0) |
|
371 |
+ { |
|
372 |
+ msg (D_TLS_DEBUG_MED, "Failed to read certificate notAfter field."); |
|
373 |
+ } |
|
374 |
+ if (ret < 0) |
|
375 |
+ { |
|
376 |
+ msg (M_WARN, "WARNING: Your certificate has expired!"); |
|
377 |
+ } |
|
378 |
+} |
|
379 |
+ |
|
380 |
+void |
|
354 | 381 |
tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file, |
355 | 382 |
const char *dh_file_inline |
356 | 383 |
) |
... | ... |
@@ -216,6 +216,20 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) |
216 | 216 |
} |
217 | 217 |
|
218 | 218 |
void |
219 |
+tls_ctx_check_cert_time (const struct tls_root_ctx *ctx) |
|
220 |
+{ |
|
221 |
+ if (x509_time_future (&ctx->crt_chain->valid_from)) |
|
222 |
+ { |
|
223 |
+ msg (M_WARN, "WARNING: Your certificate is not yet valid!"); |
|
224 |
+ } |
|
225 |
+ |
|
226 |
+ if (x509_time_expired (&ctx->crt_chain->valid_to)) |
|
227 |
+ { |
|
228 |
+ msg (M_WARN, "WARNING: Your certificate has expired!"); |
|
229 |
+ } |
|
230 |
+} |
|
231 |
+ |
|
232 |
+void |
|
219 | 233 |
tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file, |
220 | 234 |
const char *dh_inline |
221 | 235 |
) |