Hi, On Wed, Dec 23, 2015 at 04:11:17PM +0100, Jan Just Keijser wrote: > I justed wanted to get back to this one one more time: attached is a > patch to ssl_openssl.c that works in combination with Steffan's patch to > check for expired certificates. This new patch-patch works on my CentOS > 6 (openssl 1.0.1e) box :) This patch was done against the v2.3.9 code > base and I have no clue how to get it into proper git formatting ;)
Great discovery :-) - and it nicely works for me:
Sat Dec 26 10:11:14 2015 OpenVPN 2.3_git [git:ssl-expire/0f7319906a9dff58+]
amd64-unknown-freebsd7.4 [SSL (OpenSSL)] [LZO] [LZ4] [MH] [IPv6] built on Dec
26 2015
Sat Dec 26 10:11:14 2015 library versions: OpenSSL 0.9.8q 2 Dec 2010, LZO 2.04
Sat Dec 26 10:11:16 2015 WARNING: Your certificate has expired!
this is about as old as it gets - thanks a lot. Mogrified into a patch
against git master with the SSL_free() moved to the right place attached
below, for Steffan to ACK.
gert
--
USENET is *not* the non-clickable part of WWW!
//www.muc.de/~gert/
Gert Doering - Munich, Germany g...@greenie.muc.de
fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
From cc94bfe47840f3b4815e3ab1f0b65267d992bd08 Mon Sep 17 00:00:00 2001
From: Jan Just Keijser <janj...@nikhef.nl>
List-Post: openvpn-devel@lists.sourceforge.net
Date: Sat, 26 Dec 2015 10:15:04 +0100
Subject: [PATCH] Make certificate expiry warning patch (091edd8e299686) work on OpenSSL 1.0.1 and earlier.
Integrating feedback from Steffan Karger, tested by Gert Doering on
FreeBSD 7.4 / OpenSSL 0.9.8.
Signed-off-by: Gert Doering <g...@greenie.muc.de>
---
src/openvpn/ssl_openssl.c | 14 ++++++++++++--
1 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c
index 4792b08..0a7f14b 100644
--- a/src/openvpn/ssl_openssl.c
+++ b/src/openvpn/ssl_openssl.c
@@ -353,9 +353,17 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers)
void
tls_ctx_check_cert_time (const struct tls_root_ctx *ctx)
{
-#if OPENSSL_VERSION_NUMBER >= 0x10002000L
int ret;
- const X509 *cert = SSL_CTX_get0_certificate(ctx->ctx);
+ const X509 *cert;
+
+#if OPENSSL_VERSION_NUMBER >= 0x10002000L
+ /* OpenSSL 1.0.2 and up */
+ cert = SSL_CTX_get0_certificate(ctx->ctx);
+#else
+ /* OpenSSL 1.0.1 and earlier need an SSL object to get at the certificate */
+ SSL *ssl = SSL_new(ctx->ctx);
+ cert = SSL_get_certificate(ssl);
+#endif
ret = X509_cmp_time (X509_get_notBefore (cert), NULL);
if (ret == 0)
@@ -376,6 +384,8 @@ tls_ctx_check_cert_time (const struct tls_root_ctx *ctx)
{
msg (M_WARN, "WARNING: Your certificate has expired!");
}
+#if OPENSSL_VERSION_NUMBER < 0x10002000L
+ SSL_free(ssl);
#endif
}
--
1.7.3.5
signature.asc
Description: PGP signature
