Hi, On Wed, Dec 23, 2015 at 04:11:17PM +0100, Jan Just Keijser wrote: > I justed wanted to get back to this one one more time: attached is a > patch to ssl_openssl.c that works in combination with Steffan's patch to > check for expired certificates. This new patch-patch works on my CentOS > 6 (openssl 1.0.1e) box :) This patch was done against the v2.3.9 code > base and I have no clue how to get it into proper git formatting ;)
Great discovery :-) - and it nicely works for me: Sat Dec 26 10:11:14 2015 OpenVPN 2.3_git [git:ssl-expire/0f7319906a9dff58+] amd64-unknown-freebsd7.4 [SSL (OpenSSL)] [LZO] [LZ4] [MH] [IPv6] built on Dec 26 2015 Sat Dec 26 10:11:14 2015 library versions: OpenSSL 0.9.8q 2 Dec 2010, LZO 2.04 Sat Dec 26 10:11:16 2015 WARNING: Your certificate has expired! this is about as old as it gets - thanks a lot. Mogrified into a patch against git master with the SSL_free() moved to the right place attached below, for Steffan to ACK. gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany g...@greenie.muc.de fax: +49-89-35655025 g...@net.informatik.tu-muenchen.de
From cc94bfe47840f3b4815e3ab1f0b65267d992bd08 Mon Sep 17 00:00:00 2001 From: Jan Just Keijser <janj...@nikhef.nl> List-Post: openvpn-devel@lists.sourceforge.net Date: Sat, 26 Dec 2015 10:15:04 +0100 Subject: [PATCH] Make certificate expiry warning patch (091edd8e299686) work on OpenSSL 1.0.1 and earlier. Integrating feedback from Steffan Karger, tested by Gert Doering on FreeBSD 7.4 / OpenSSL 0.9.8. Signed-off-by: Gert Doering <g...@greenie.muc.de> --- src/openvpn/ssl_openssl.c | 14 ++++++++++++-- 1 files changed, 12 insertions(+), 2 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 4792b08..0a7f14b 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -353,9 +353,17 @@ tls_ctx_restrict_ciphers(struct tls_root_ctx *ctx, const char *ciphers) void tls_ctx_check_cert_time (const struct tls_root_ctx *ctx) { -#if OPENSSL_VERSION_NUMBER >= 0x10002000L int ret; - const X509 *cert = SSL_CTX_get0_certificate(ctx->ctx); + const X509 *cert; + +#if OPENSSL_VERSION_NUMBER >= 0x10002000L + /* OpenSSL 1.0.2 and up */ + cert = SSL_CTX_get0_certificate(ctx->ctx); +#else + /* OpenSSL 1.0.1 and earlier need an SSL object to get at the certificate */ + SSL *ssl = SSL_new(ctx->ctx); + cert = SSL_get_certificate(ssl); +#endif ret = X509_cmp_time (X509_get_notBefore (cert), NULL); if (ret == 0) @@ -376,6 +384,8 @@ tls_ctx_check_cert_time (const struct tls_root_ctx *ctx) { msg (M_WARN, "WARNING: Your certificate has expired!"); } +#if OPENSSL_VERSION_NUMBER < 0x10002000L + SSL_free(ssl); #endif } -- 1.7.3.5
signature.asc
Description: PGP signature