We're considering to use shorter-lived client certificates for our VPN users. In an effort to prevent negative impact for our staff due to expired certificates, we 'd like to keep track of imminent expiration of certificates in the client-connect script (which we're using anyway to check is the certificate matches the user id). Many certificate attributes are passed to the script, but not the "NotAfter" and "NotBefore" attributes.
The attached patch adds these to the mix. Rolf
diff -ruN openvpn-2.4.7.orig/src/openvpn/ssl_verify.c openvpn-2.4.7/src/openvpn/ssl_verify.c
--- openvpn-2.4.7.orig/src/openvpn/ssl_verify.c 2019-02-20 13:28:23.000000000 +0100
+++ openvpn-2.4.7/src/openvpn/ssl_verify.c 2019-08-15 20:57:29.803381111 +0200
@@ -448,6 +448,25 @@
}
/*
+ * Export ASN1_TIME items to the environment
+ */
+static void
+setenv_ASN1_TIME(struct env_set *es, char *envname, int envnamesize,
+ char *envprefix, int depth, const ASN1_TIME *asn1_time)
+{
+ char timestamp[32];
+ BIO *mem;
+
+ mem = BIO_new(BIO_s_mem());
+ if (ASN1_TIME_print (mem, asn1_time)) {
+ timestamp[BIO_read(mem, timestamp, sizeof(timestamp)-1)] = '\0';
+ openvpn_snprintf(envname, envnamesize, "%s_%d", envprefix, depth);
+ setenv_str(es, envname, timestamp);
+ }
+ BIO_free(mem);
+}
+
+/*
* Export the subject, common_name, and raw certificate fields to the
* environment for later verification by scripts and plugins.
*/
@@ -505,6 +524,12 @@
openvpn_snprintf(envname, sizeof(envname), "tls_serial_hex_%d", cert_depth);
setenv_str(es, envname, serial);
+ setenv_ASN1_TIME(es, envname, sizeof(envname), "tls_notbefore", cert_depth,
+ X509_get_notBefore(peer_cert));
+
+ setenv_ASN1_TIME(es, envname, sizeof(envname), "tls_notafter", cert_depth,
+ X509_get_notAfter(peer_cert));
+
gc_free(&gc);
}
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel
