summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorailin-nemui <ailin-nemui@users.noreply.github.com>2017-02-15 15:49:00 +0100
committerGitHub <noreply@github.com>2017-02-15 15:49:00 +0100
commit540639e0faee2dac9ff60fcf5e2ab0334a1ad5d9 (patch)
treecc77f1324a8a3dcfae7b03c8b2a900e8c04dff73
parente1334651682d720c21c34265fc1e9af2c53dc5b3 (diff)
parent697dd19d887c58930c76de68268d58f2251904d6 (diff)
downloadirssi-540639e0faee2dac9ff60fcf5e2ab0334a1ad5d9.zip
Merge pull request #627 from LemonBoy/ssl-expiry
Check whether the client certificate is expired.
-rw-r--r--src/core/network-openssl.c36
1 files changed, 29 insertions, 7 deletions
diff --git a/src/core/network-openssl.c b/src/core/network-openssl.c
index 36b8d887..4de3cb3c 100644
--- a/src/core/network-openssl.c
+++ b/src/core/network-openssl.c
@@ -438,16 +438,38 @@ static GIOChannel *irssi_ssl_get_iochannel(GIOChannel *handle, int port, SERVER_
if (mycert && *mycert) {
char *scert = NULL, *spkey = NULL;
+ FILE *fp;
scert = convert_home(mycert);
if (mypkey && *mypkey)
spkey = convert_home(mypkey);
- ERR_clear_error();
- if (! SSL_CTX_use_certificate_file(ctx, scert, SSL_FILETYPE_PEM))
- g_warning("Loading of client certificate '%s' failed: %s", mycert, ERR_reason_error_string(ERR_get_error()));
- else if (! SSL_CTX_use_PrivateKey_file(ctx, spkey ? spkey : scert, SSL_FILETYPE_PEM))
- g_warning("Loading of private key '%s' failed: %s", mypkey ? mypkey : mycert, ERR_reason_error_string(ERR_get_error()));
- else if (! SSL_CTX_check_private_key(ctx))
- g_warning("Private key does not match the certificate");
+
+ if ((fp = fopen(scert, "r"))) {
+ X509 *cert;
+ /* Let's parse the certificate by hand instead of using
+ * SSL_CTX_use_certificate_file so that we can validate
+ * some parts of it. */
+ cert = PEM_read_X509(fp, NULL, get_pem_password_callback, (void *)mypass);
+ if (cert != NULL) {
+ /* Only the expiration date is checked right now */
+ if (X509_cmp_current_time(X509_get_notAfter(cert)) <= 0 ||
+ X509_cmp_current_time(X509_get_notBefore(cert)) >= 0)
+ g_warning("The client certificate is expired");
+
+ ERR_clear_error();
+ if (! SSL_CTX_use_certificate(ctx, cert))
+ g_warning("Loading of client certificate '%s' failed: %s", mycert, ERR_reason_error_string(ERR_get_error()));
+ else if (! SSL_CTX_use_PrivateKey_file(ctx, spkey ? spkey : scert, SSL_FILETYPE_PEM))
+ g_warning("Loading of private key '%s' failed: %s", mypkey ? mypkey : mycert, ERR_reason_error_string(ERR_get_error()));
+ else if (! SSL_CTX_check_private_key(ctx))
+ g_warning("Private key does not match the certificate");
+
+ X509_free(cert);
+ } else
+ g_warning("Loading of client certificate '%s' failed: %s", mycert, ERR_reason_error_string(ERR_get_error()));
+
+ fclose(fp);
+ } else
+ g_warning("Could not find client certificate '%s'", scert);
g_free(scert);
g_free(spkey);
}