plaisthos has uploaded this change for review. ( http://gerrit.openvpn.net/c/openvpn/+/1595?usp=email )
Change subject: OpenSSL 4.0: Use X509_check_certificate_times instead of X509_cmp_time ...................................................................... OpenSSL 4.0: Use X509_check_certificate_times instead of X509_cmp_time The X509_cmp_time function is deprecated in OpenSSL 4.0. So we avoid it and use the new API. Change-Id: I6c2eda0e5bbb3a70b404f821e25ded81f0f5ddd5 Signed-off-by: Arne Schwabe <[email protected]> --- M src/openvpn/ssl_openssl.c 1 file changed, 47 insertions(+), 0 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/95/1595/1 diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index c8dd55a..4650b85 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -634,6 +634,7 @@ #endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L */ } +#if OPENSSL_VERSION_NUMBER < 0x40000000L void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) { @@ -669,6 +670,52 @@ msg(M_WARN, "WARNING: Your certificate has expired!"); } } +#else +void +tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) +{ + const X509 *cert; + ASSERT(ctx); + + cert = SSL_CTX_get0_certificate(ctx->ctx); + + if (cert == NULL) + { + return; /* Nothing to check if there is no certificate */ + } + + X509_VERIFY_PARAM *vpm = X509_VERIFY_PARAM_new(); + + if (vpm == NULL) + { + msg(D_TLS_DEBUG_MED, "Failed to initialise certificate verification parameters."); + } + + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_USE_CHECK_TIME); + X509_VERIFY_PARAM_set_time(vpm, now); + + int error = 0; + int ret = X509_check_certificate_times(vpm, cert, &error); + + if (error == X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD) + { + msg(D_TLS_DEBUG_MED, "Failed to read certificate notBefore field."); + } + if (error == X509_V_ERR_CERT_NOT_YET_VALID) + { + msg(M_WARN, "WARNING: Your certificate is not yet valid!"); + } + if (ret == X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD) + { + msg(D_TLS_DEBUG_MED, "Failed to read certificate notAfter field."); + } + if (error == X509_V_ERR_CERT_HAS_EXPIRED) + { + msg(M_WARN, "WARNING: Your certificate has expired!"); + } + X509_VERIFY_PARAM_free(vpm); +} +#endif void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline) -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/1595?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings?usp=email Gerrit-MessageType: newchange Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I6c2eda0e5bbb3a70b404f821e25ded81f0f5ddd5 Gerrit-Change-Number: 1595 Gerrit-PatchSet: 1 Gerrit-Owner: plaisthos <[email protected]> Gerrit-CC: openvpn-devel <[email protected]>
_______________________________________________ Openvpn-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openvpn-devel
