Warn user of expired cert

eggheads · Feb 13, 2023 · 44ffcfc · 44ffcfc
1 parent 23386ce
commit 44ffcfc
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 0 deletions.
diff --git a/src/main.c b/src/main.c
@@ -681,6 +681,7 @@ static void core_secondly()
             logs[j].f = NULL;
           }
         }
+        verify_cert_expiry();
       }
     }
     if (nowtm.tm_min == notify_users_at)

diff --git a/src/proto.h b/src/proto.h
@@ -310,6 +310,7 @@ int readtclprog(char *fname);
 
 /* tls.c */
 #ifdef TLS
+void verify_cert_expiry();
 int ssl_handshake(int, int, int, int, char *, IntFunc);
 char *ssl_fpconv(char *in, char *out);
 const char *ssl_getuid(int sock);

diff --git a/src/tls.c b/src/tls.c
@@ -109,6 +109,13 @@ static int ssl_seed(void)
   return 0;
 }
 
+void verify_cert_expiry() {
+  X509 *x509;
+  if ((x509 = SSL_CTX_get0_certificate(ssl_ctx)) &&
+      (ASN1_TIME_cmp_time_t(X509_get0_notAfter(x509), time(NULL)) < 0))
+    putlog(LOG_MISC, "*", "WARNING: certificate expired: %s", tls_certfile);
+}
+
 /* Prepares and initializes SSL stuff
  *
  * Creates a context object, supporting SSLv2/v3 & TLSv1 protocols;
@@ -157,6 +164,7 @@ int ssl_init()
           tls_certfile, ERR_error_string(ERR_get_error(), NULL));
       fatal("Unable to load TLS certificate (ssl-certificate config setting)!", 0);
     }
+    verify_cert_expiry();
     if (SSL_CTX_use_PrivateKey_file(ssl_ctx, tls_keyfile, SSL_FILETYPE_PEM) != 1) {
       putlog(LOG_MISC, "*", "ERROR: TLS: unable to load private key from %s: %s",
           tls_keyfile, ERR_error_string(ERR_get_error(), NULL));
-Original file line number
+Diff line change
@@ Expand Up / @@ -681,6 +681,7 @@ static void core_secondly() @@
                 logs[j].f = NULL;
               }
             }
+            verify_cert_expiry();
           }
         }
         if (nowtm.tm_min == notify_users_at)
@@ Expand Down @@