summaryrefslogtreecommitdiff
path: root/src/openvpn/ssl_openssl.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/openvpn/ssl_openssl.c')
-rw-r--r--src/openvpn/ssl_openssl.c49
1 files changed, 49 insertions, 0 deletions
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index be33caa..e595e1b 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -335,6 +335,55 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
}
void
+tls_ctx_check_cert_time (const struct tls_root_ctx *ctx)
+{
+ int ret;
+ const X509 *cert;
+
+ ASSERT (ctx);
+
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+ /* OpenSSL 1.0.2 and up */
+ cert = SSL_CTX_get0_certificate (ctx->ctx);
+#else
+ /* OpenSSL 1.0.1 and earlier need an SSL object to get at the certificate */
+ SSL *ssl = SSL_new (ctx->ctx);
+ cert = SSL_get_certificate (ssl);
+#endif
+
+ if (cert == NULL)
+ {
+ goto cleanup; /* Nothing to check if there is no certificate */
+ }
+
+ ret = X509_cmp_time (X509_get_notBefore (cert), NULL);
+ if (ret == 0)
+ {
+ msg (D_TLS_DEBUG_MED, "Failed to read certificate notBefore field.");
+ }
+ if (ret > 0)
+ {
+ msg (M_WARN, "WARNING: Your certificate is not yet valid!");
+ }
+
+ ret = X509_cmp_time (X509_get_notAfter (cert), NULL);
+ if (ret == 0)
+ {
+ msg (D_TLS_DEBUG_MED, "Failed to read certificate notAfter field.");
+ }
+ if (ret < 0)
+ {
+ msg (M_WARN, "WARNING: Your certificate has expired!");
+ }
+
+cleanup:
+#if OPENSSL_VERSION_NUMBER < 0x10002000L
+ SSL_free (ssl);
+#endif
+ return;
+}
+
+void
tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file,
const char *dh_file_inline
)