aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorGravatar Sadie Powell2023-05-10 10:59:27 +0100
committerGravatar Sadie Powell2023-05-10 10:59:27 +0100
commite196ef967c91d028e3dd60492e29e65ce941ba6f (patch)
treeca0e129d2b9efaba35a17806f723c8196ff60eff /src
parentRename threadsocket to thread. (diff)
Show more details about unactivated/expired client certificates.
Diffstat (limited to 'src')
-rw-r--r--src/modules/extra/m_ssl_gnutls.cpp9
-rw-r--r--src/modules/extra/m_ssl_mbedtls.cpp13
-rw-r--r--src/modules/extra/m_ssl_openssl.cpp18
3 files changed, 29 insertions, 11 deletions
diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp
index 07ee059d1..068d036fb 100644
--- a/src/modules/extra/m_ssl_gnutls.cpp
+++ b/src/modules/extra/m_ssl_gnutls.cpp
@@ -40,6 +40,7 @@
/// $PackageInfo: require_system("ubuntu") gnutls-bin libgnutls28-dev pkg-config
#include "inspircd.h"
+#include "duration.h"
#include "fileutils.h"
#include "modules/ssl.h"
@@ -735,7 +736,9 @@ private:
}
else if (certinfo->activation >= ServerInstance->Time())
{
- certinfo->error = "Certificate not activated";
+ certinfo->error = INSP_FORMAT("Certificate not active for {} (on {})",
+ Duration::ToString(certinfo->activation - ServerInstance->Time()),
+ InspIRCd::TimeString(certinfo->activation));
}
certinfo->expiration = gnutls_x509_crt_get_expiration_time(cert);
@@ -746,7 +749,9 @@ private:
}
else if (certinfo->expiration <= ServerInstance->Time())
{
- certinfo->error = "Certificate has expired";
+ certinfo->error = INSP_FORMAT("Certificate expired {} ago (on {})",
+ Duration::ToString(ServerInstance->Time() - certinfo->expiration),
+ InspIRCd::TimeString(certinfo->expiration));
}
info_done_dealloc:
diff --git a/src/modules/extra/m_ssl_mbedtls.cpp b/src/modules/extra/m_ssl_mbedtls.cpp
index 5dfc112c5..9de0c8f7b 100644
--- a/src/modules/extra/m_ssl_mbedtls.cpp
+++ b/src/modules/extra/m_ssl_mbedtls.cpp
@@ -27,6 +27,7 @@
#include "inspircd.h"
+#include "duration.h"
#include "modules/ssl.h"
#ifdef _WIN32
@@ -648,9 +649,17 @@ private:
// Verification failed
certificate->trusted = false;
if (flags & MBEDTLS_X509_BADCERT_FUTURE)
- certificate->error = "Certificate not activated";
+ {
+ certificate->error = INSP_FORMAT("Certificate not active for {} (on {})",
+ Duration::ToString(certificate->activation - ServerInstance->Time()),
+ InspIRCd::TimeString(certificate->activation));
+ }
else if (flags & MBEDTLS_X509_BADCERT_EXPIRED)
- certificate->error = "Certificate has expired";
+ {
+ certificate->error = INSP_FORMAT("Certificate expired {} ago (on {})",
+ Duration::ToString(ServerInstance->Time() - certificate->expiration),
+ InspIRCd::TimeString(certificate->expiration));
+ }
}
certificate->unknownsigner = (flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED);
diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp
index 5945b66e8..23f64f7c2 100644
--- a/src/modules/extra/m_ssl_openssl.cpp
+++ b/src/modules/extra/m_ssl_openssl.cpp
@@ -41,6 +41,7 @@
#include "inspircd.h"
+#include "duration.h"
#include "iohook.h"
#include "modules/ssl.h"
@@ -624,11 +625,19 @@ private:
int activated = ASN1_UTCTIME_cmp_time_t(X509_getm_notBefore(cert), ServerInstance->Time());
if (activated != -1 && activated != 0)
- certinfo->error = "Certificate not activated";
+ {
+ certinfo->error = INSP_FORMAT("Certificate not active for {} (on {})",
+ Duration::ToString(certinfo->activation - ServerInstance->Time()),
+ InspIRCd::TimeString(certinfo->activation));
+ }
int expired = ASN1_UTCTIME_cmp_time_t(X509_getm_notAfter(cert), ServerInstance->Time());
if (expired != 0 && expired != 1)
- certinfo->error = "Certificate has expired";
+ {
+ certinfo->error = INSP_FORMAT("Certificate expired {} ago (on {})",
+ Duration::ToString(ServerInstance->Time() - certinfo->expiration),
+ InspIRCd::TimeString(certinfo->expiration));
+ }
X509_free(cert);
}
@@ -645,7 +654,6 @@ private:
static time_t GetTime(ASN1_TIME* x509time)
{
-#if OPENSSL_VERSION_NUMBER >= 0x10101000L
if (!x509time)
return 0;
@@ -654,10 +662,6 @@ private:
return 0;
return timegm(&ts);
-#else
- // OpenSSL 1.1 is required for ASN_TIME_to_tm.
- return 0;
-#endif
}
void SSLInfoCallback(int where, int rc)