summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBoris Lytochkin <lytboris@yandex-team.ru>2015-09-20 17:05:22 +0300
committerGert Doering <gert@greenie.muc.de>2015-09-20 18:46:19 +0200
commit767e4c56becbfeea525e4695a810593f373883cd (patch)
treeba121d7e342934a9504ca52c77700a4268dce6f0
parentfa5697f022110f557710f709c9ac0a3420bb073c (diff)
downloadopenvpn-767e4c56becbfeea525e4695a810593f373883cd.zip
openvpn-767e4c56becbfeea525e4695a810593f373883cd.tar.gz
openvpn-767e4c56becbfeea525e4695a810593f373883cd.tar.xz
Log serial number of revoked certificate
In most of situations admin of OpenVPN server needs to know which particular certificate is used by client. In the case when certificate is OK, environment variable can be used for that but once it is revoked, no user scripts are invoked so there is no way to get serial number: only subject is printed in logs. So we log certificate serial in case it is revoked. Sponsored-by: Yandex LLC Signed-off-by: Boris Lytochkin <lytboris@yandex-team.ru> Acked-by: Steffan Karger <steffan.karger@fox-it.com> Message-Id: <55FEBF7E.3010209@yandex-team.ru> URL: http://article.gmane.org/gmane.network.openvpn.devel/10154 Signed-off-by: Gert Doering <gert@greenie.muc.de>
-rw-r--r--src/openvpn/ssl_verify_openssl.c6
-rw-r--r--src/openvpn/ssl_verify_polarssl.c6
2 files changed, 10 insertions, 2 deletions
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 81b2e38..bf53522 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -585,6 +585,8 @@ x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject)
BIO *in=NULL;
int n,i;
result_t retval = FAILURE;
+ struct gc_arena gc = gc_new();
+ char *serial;
in = BIO_new_file (crl_file, "r");
@@ -609,7 +611,8 @@ x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject)
for (i = 0; i < n; i++) {
revoked = (X509_REVOKED *)sk_X509_REVOKED_value(X509_CRL_get_REVOKED(crl), i);
if (ASN1_INTEGER_cmp(revoked->serialNumber, X509_get_serialNumber(peer_cert)) == 0) {
- msg (D_HANDSHAKE, "CRL CHECK FAILED: %s is REVOKED",subject);
+ serial = backend_x509_get_serial_hex(peer_cert, &gc);
+ msg (D_HANDSHAKE, "CRL CHECK FAILED: %s (serial %s) is REVOKED", subject, (serial ? serial : "NOT AVAILABLE"));
goto end;
}
}
@@ -618,6 +621,7 @@ x509_verify_crl(const char *crl_file, X509 *peer_cert, const char *subject)
msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject);
end:
+ gc_free(&gc);
BIO_free(in);
if (crl)
X509_CRL_free (crl);
diff --git a/src/openvpn/ssl_verify_polarssl.c b/src/openvpn/ssl_verify_polarssl.c
index 2edf21d..4852243 100644
--- a/src/openvpn/ssl_verify_polarssl.c
+++ b/src/openvpn/ssl_verify_polarssl.c
@@ -373,6 +373,8 @@ x509_verify_crl(const char *crl_file, x509_crt *cert, const char *subject)
{
result_t retval = FAILURE;
x509_crl crl = {0};
+ struct gc_arena gc = gc_new();
+ char *serial;
int polar_retval = x509_crl_parse_file(&crl, crl_file);
if (polar_retval != 0)
@@ -394,7 +396,8 @@ x509_verify_crl(const char *crl_file, x509_crt *cert, const char *subject)
if (0 != x509_crt_revoked(cert, &crl))
{
- msg (D_HANDSHAKE, "CRL CHECK FAILED: %s is REVOKED", subject);
+ serial = backend_x509_get_serial_hex(cert, &gc);
+ msg (D_HANDSHAKE, "CRL CHECK FAILED: %s (serial %s) is REVOKED", subject, (serial ? serial : "NOT AVAILABLE"));
goto end;
}
@@ -402,6 +405,7 @@ x509_verify_crl(const char *crl_file, x509_crt *cert, const char *subject)
msg (D_HANDSHAKE, "CRL CHECK OK: %s",subject);
end:
+ gc_free(&gc);
x509_crl_free(&crl);
return retval;
}