diff options
author | ailin-nemui <ailin-nemui@users.noreply.github.com> | 2017-02-15 15:49:00 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-02-15 15:49:00 +0100 |
commit | 540639e0faee2dac9ff60fcf5e2ab0334a1ad5d9 (patch) | |
tree | cc77f1324a8a3dcfae7b03c8b2a900e8c04dff73 | |
parent | e1334651682d720c21c34265fc1e9af2c53dc5b3 (diff) | |
parent | 697dd19d887c58930c76de68268d58f2251904d6 (diff) | |
download | irssi-540639e0faee2dac9ff60fcf5e2ab0334a1ad5d9.zip |
Merge pull request #627 from LemonBoy/ssl-expiry
Check whether the client certificate is expired.
-rw-r--r-- | src/core/network-openssl.c | 36 |
1 files changed, 29 insertions, 7 deletions
diff --git a/src/core/network-openssl.c b/src/core/network-openssl.c index 36b8d887..4de3cb3c 100644 --- a/src/core/network-openssl.c +++ b/src/core/network-openssl.c @@ -438,16 +438,38 @@ static GIOChannel *irssi_ssl_get_iochannel(GIOChannel *handle, int port, SERVER_ if (mycert && *mycert) { char *scert = NULL, *spkey = NULL; + FILE *fp; scert = convert_home(mycert); if (mypkey && *mypkey) spkey = convert_home(mypkey); - ERR_clear_error(); - if (! SSL_CTX_use_certificate_file(ctx, scert, SSL_FILETYPE_PEM)) - g_warning("Loading of client certificate '%s' failed: %s", mycert, ERR_reason_error_string(ERR_get_error())); - else if (! SSL_CTX_use_PrivateKey_file(ctx, spkey ? spkey : scert, SSL_FILETYPE_PEM)) - g_warning("Loading of private key '%s' failed: %s", mypkey ? mypkey : mycert, ERR_reason_error_string(ERR_get_error())); - else if (! SSL_CTX_check_private_key(ctx)) - g_warning("Private key does not match the certificate"); + + if ((fp = fopen(scert, "r"))) { + X509 *cert; + /* Let's parse the certificate by hand instead of using + * SSL_CTX_use_certificate_file so that we can validate + * some parts of it. */ + cert = PEM_read_X509(fp, NULL, get_pem_password_callback, (void *)mypass); + if (cert != NULL) { + /* Only the expiration date is checked right now */ + if (X509_cmp_current_time(X509_get_notAfter(cert)) <= 0 || + X509_cmp_current_time(X509_get_notBefore(cert)) >= 0) + g_warning("The client certificate is expired"); + + ERR_clear_error(); + if (! SSL_CTX_use_certificate(ctx, cert)) + g_warning("Loading of client certificate '%s' failed: %s", mycert, ERR_reason_error_string(ERR_get_error())); + else if (! SSL_CTX_use_PrivateKey_file(ctx, spkey ? spkey : scert, SSL_FILETYPE_PEM)) + g_warning("Loading of private key '%s' failed: %s", mypkey ? mypkey : mycert, ERR_reason_error_string(ERR_get_error())); + else if (! SSL_CTX_check_private_key(ctx)) + g_warning("Private key does not match the certificate"); + + X509_free(cert); + } else + g_warning("Loading of client certificate '%s' failed: %s", mycert, ERR_reason_error_string(ERR_get_error())); + + fclose(fp); + } else + g_warning("Could not find client certificate '%s'", scert); g_free(scert); g_free(spkey); } |