diff options
author | LemonBoy <thatlemon@gmail.com> | 2017-01-22 21:49:37 +0100 |
---|---|---|
committer | LemonBoy <thatlemon@gmail.com> | 2017-01-22 21:58:55 +0100 |
commit | 697dd19d887c58930c76de68268d58f2251904d6 (patch) | |
tree | 0881127bd16c9e1bffbac117d70eae4c898c50ac /src/core | |
parent | 228f487a69cc032b368a0ae0daea6796b7d10d6e (diff) | |
download | irssi-697dd19d887c58930c76de68268d58f2251904d6.zip |
Check whether the client certificate is expired.
Right now we only warn the user, the connection keeps going.
Fixes #211
Diffstat (limited to 'src/core')
-rw-r--r-- | src/core/network-openssl.c | 36 |
1 files changed, 29 insertions, 7 deletions
diff --git a/src/core/network-openssl.c b/src/core/network-openssl.c index 1eb85341..001e2d9d 100644 --- a/src/core/network-openssl.c +++ b/src/core/network-openssl.c @@ -420,16 +420,38 @@ static GIOChannel *irssi_ssl_get_iochannel(GIOChannel *handle, int port, SERVER_ if (mycert && *mycert) { char *scert = NULL, *spkey = NULL; + FILE *fp; scert = convert_home(mycert); if (mypkey && *mypkey) spkey = convert_home(mypkey); - ERR_clear_error(); - if (! SSL_CTX_use_certificate_file(ctx, scert, SSL_FILETYPE_PEM)) - g_warning("Loading of client certificate '%s' failed: %s", mycert, ERR_reason_error_string(ERR_get_error())); - else if (! SSL_CTX_use_PrivateKey_file(ctx, spkey ? spkey : scert, SSL_FILETYPE_PEM)) - g_warning("Loading of private key '%s' failed: %s", mypkey ? mypkey : mycert, ERR_reason_error_string(ERR_get_error())); - else if (! SSL_CTX_check_private_key(ctx)) - g_warning("Private key does not match the certificate"); + + if ((fp = fopen(scert, "r"))) { + X509 *cert; + /* Let's parse the certificate by hand instead of using + * SSL_CTX_use_certificate_file so that we can validate + * some parts of it. */ + cert = PEM_read_X509(fp, NULL, get_pem_password_callback, (void *)mypass); + if (cert != NULL) { + /* Only the expiration date is checked right now */ + if (X509_cmp_current_time(X509_get_notAfter(cert)) <= 0 || + X509_cmp_current_time(X509_get_notBefore(cert)) >= 0) + g_warning("The client certificate is expired"); + + ERR_clear_error(); + if (! SSL_CTX_use_certificate(ctx, cert)) + g_warning("Loading of client certificate '%s' failed: %s", mycert, ERR_reason_error_string(ERR_get_error())); + else if (! SSL_CTX_use_PrivateKey_file(ctx, spkey ? spkey : scert, SSL_FILETYPE_PEM)) + g_warning("Loading of private key '%s' failed: %s", mypkey ? mypkey : mycert, ERR_reason_error_string(ERR_get_error())); + else if (! SSL_CTX_check_private_key(ctx)) + g_warning("Private key does not match the certificate"); + + X509_free(cert); + } else + g_warning("Loading of client certificate '%s' failed: %s", mycert, ERR_reason_error_string(ERR_get_error())); + + fclose(fp); + } else + g_warning("Could not find client certificate '%s'", scert); g_free(scert); g_free(spkey); } |