From e196ef967c91d028e3dd60492e29e65ce941ba6f Mon Sep 17 00:00:00 2001 From: Sadie Powell Date: Wed, 10 May 2023 10:59:27 +0100 Subject: Show more details about unactivated/expired client certificates. --- src/modules/extra/m_ssl_gnutls.cpp | 9 +++++++-- src/modules/extra/m_ssl_mbedtls.cpp | 13 +++++++++++-- src/modules/extra/m_ssl_openssl.cpp | 18 +++++++++++------- 3 files changed, 29 insertions(+), 11 deletions(-) (limited to 'src') diff --git a/src/modules/extra/m_ssl_gnutls.cpp b/src/modules/extra/m_ssl_gnutls.cpp index 07ee059d1..068d036fb 100644 --- a/src/modules/extra/m_ssl_gnutls.cpp +++ b/src/modules/extra/m_ssl_gnutls.cpp @@ -40,6 +40,7 @@ /// $PackageInfo: require_system("ubuntu") gnutls-bin libgnutls28-dev pkg-config #include "inspircd.h" +#include "duration.h" #include "fileutils.h" #include "modules/ssl.h" @@ -735,7 +736,9 @@ private: } else if (certinfo->activation >= ServerInstance->Time()) { - certinfo->error = "Certificate not activated"; + certinfo->error = INSP_FORMAT("Certificate not active for {} (on {})", + Duration::ToString(certinfo->activation - ServerInstance->Time()), + InspIRCd::TimeString(certinfo->activation)); } certinfo->expiration = gnutls_x509_crt_get_expiration_time(cert); @@ -746,7 +749,9 @@ private: } else if (certinfo->expiration <= ServerInstance->Time()) { - certinfo->error = "Certificate has expired"; + certinfo->error = INSP_FORMAT("Certificate expired {} ago (on {})", + Duration::ToString(ServerInstance->Time() - certinfo->expiration), + InspIRCd::TimeString(certinfo->expiration)); } info_done_dealloc: diff --git a/src/modules/extra/m_ssl_mbedtls.cpp b/src/modules/extra/m_ssl_mbedtls.cpp index 5dfc112c5..9de0c8f7b 100644 --- a/src/modules/extra/m_ssl_mbedtls.cpp +++ b/src/modules/extra/m_ssl_mbedtls.cpp @@ -27,6 +27,7 @@ #include "inspircd.h" +#include "duration.h" #include "modules/ssl.h" #ifdef _WIN32 @@ -648,9 +649,17 @@ private: // Verification failed certificate->trusted = false; if (flags & MBEDTLS_X509_BADCERT_FUTURE) - certificate->error = "Certificate not activated"; + { + certificate->error = INSP_FORMAT("Certificate not active for {} (on {})", + Duration::ToString(certificate->activation - ServerInstance->Time()), + InspIRCd::TimeString(certificate->activation)); + } else if (flags & MBEDTLS_X509_BADCERT_EXPIRED) - certificate->error = "Certificate has expired"; + { + certificate->error = INSP_FORMAT("Certificate expired {} ago (on {})", + Duration::ToString(ServerInstance->Time() - certificate->expiration), + InspIRCd::TimeString(certificate->expiration)); + } } certificate->unknownsigner = (flags & MBEDTLS_X509_BADCERT_NOT_TRUSTED); diff --git a/src/modules/extra/m_ssl_openssl.cpp b/src/modules/extra/m_ssl_openssl.cpp index 5945b66e8..23f64f7c2 100644 --- a/src/modules/extra/m_ssl_openssl.cpp +++ b/src/modules/extra/m_ssl_openssl.cpp @@ -41,6 +41,7 @@ #include "inspircd.h" +#include "duration.h" #include "iohook.h" #include "modules/ssl.h" @@ -624,11 +625,19 @@ private: int activated = ASN1_UTCTIME_cmp_time_t(X509_getm_notBefore(cert), ServerInstance->Time()); if (activated != -1 && activated != 0) - certinfo->error = "Certificate not activated"; + { + certinfo->error = INSP_FORMAT("Certificate not active for {} (on {})", + Duration::ToString(certinfo->activation - ServerInstance->Time()), + InspIRCd::TimeString(certinfo->activation)); + } int expired = ASN1_UTCTIME_cmp_time_t(X509_getm_notAfter(cert), ServerInstance->Time()); if (expired != 0 && expired != 1) - certinfo->error = "Certificate has expired"; + { + certinfo->error = INSP_FORMAT("Certificate expired {} ago (on {})", + Duration::ToString(ServerInstance->Time() - certinfo->expiration), + InspIRCd::TimeString(certinfo->expiration)); + } X509_free(cert); } @@ -645,7 +654,6 @@ private: static time_t GetTime(ASN1_TIME* x509time) { -#if OPENSSL_VERSION_NUMBER >= 0x10101000L if (!x509time) return 0; @@ -654,10 +662,6 @@ private: return 0; return timegm(&ts); -#else - // OpenSSL 1.1 is required for ASN_TIME_to_tm. - return 0; -#endif } void SSLInfoCallback(int where, int rc) -- cgit v1.3.1-10-gc9f91