From 9653b1bffea4e96c1eb7c1814e8bed21fea62321 Mon Sep 17 00:00:00 2001 From: Alberto Gonzalez Iniesta Date: Wed, 20 Jan 2016 12:01:07 +0100 Subject: Imported Upstream version 2.3.10 --- src/openvpn/ssl_openssl.c | 49 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) (limited to 'src/openvpn/ssl_openssl.c') diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index be33caa..e595e1b 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -334,6 +334,55 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) msg(M_SSLERR, "Failed to set restricted TLS cipher list: %s", openssl_ciphers); } +void +tls_ctx_check_cert_time (const struct tls_root_ctx *ctx) +{ + int ret; + const X509 *cert; + + ASSERT (ctx); + +#if OPENSSL_VERSION_NUMBER >= 0x10002000L + /* OpenSSL 1.0.2 and up */ + cert = SSL_CTX_get0_certificate (ctx->ctx); +#else + /* OpenSSL 1.0.1 and earlier need an SSL object to get at the certificate */ + SSL *ssl = SSL_new (ctx->ctx); + cert = SSL_get_certificate (ssl); +#endif + + if (cert == NULL) + { + goto cleanup; /* Nothing to check if there is no certificate */ + } + + ret = X509_cmp_time (X509_get_notBefore (cert), NULL); + if (ret == 0) + { + msg (D_TLS_DEBUG_MED, "Failed to read certificate notBefore field."); + } + if (ret > 0) + { + msg (M_WARN, "WARNING: Your certificate is not yet valid!"); + } + + ret = X509_cmp_time (X509_get_notAfter (cert), NULL); + if (ret == 0) + { + msg (D_TLS_DEBUG_MED, "Failed to read certificate notAfter field."); + } + if (ret < 0) + { + msg (M_WARN, "WARNING: Your certificate has expired!"); + } + +cleanup: +#if OPENSSL_VERSION_NUMBER < 0x10002000L + SSL_free (ssl); +#endif + return; +} + void tls_ctx_load_dh_params (struct tls_root_ctx *ctx, const char *dh_file, const char *dh_file_inline -- cgit v1.2.3