From patchwork Fri Apr 17 16:46:38 2026 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4896 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:66c6:b0:84a:48f:a1fd with SMTP id x6csp159434mal; Fri, 17 Apr 2026 09:47:34 -0700 (PDT) X-Forwarded-Encrypted: i=2; AFNElJ81BIgtTJqkKdF5zaGsn/LsGQcnrWxqPb4VoJBa83ZG9jqnfGKHsrXRBeO9x3NamxmFDmtlB+jEKes=@openvpn.net X-Received: by 2002:a05:7022:239b:b0:12a:6ab7:3f73 with SMTP id a92af1059eb24-12c73e2dde7mr1915274c88.0.1776444453850; Fri, 17 Apr 2026 09:47:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1776444453; cv=none; d=google.com; s=arc-20240605; b=RthUEdxrud/5S0nM3AxVg+xqhDmDeHJC5SPRNyeIp46WmVwdAE8yci4HaGYFY6cXw3 wNDTOxrjq9SFjsijMdLU6Uj9dqgtUqde7EPQg/+/j7VVOhAQBLZkDcCfs0CnN/dHceLm 9S6cIogaxYrjOPPQ+BPHbMKd9IQZ5vYGUntJeKw+fXyC+DppdI03qni3I+i8WV0HEaYY RMIpwXBzRLjLMag7QP9uDyvDEGRMTSXYsT4BpqtF0kbE74PIT8RBkcvY3h/DDZCrSLQb ezEAaNIKnztTsJUUH2SD38nkoAIUmjwWHtxx3y9Yl9GXOZ5A97/9ItQ7YWguMb7vzEmw nNlQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=BP+Rj8iDIVxt1V68wI94M+IQEBSMLWJfu54jCfOqEhI=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=AMaA5P7feKLf3nnSO8M2rKsK6VzpmoVaDy/t0PBuHmeBFeSBJthxt2quPoEgYYZDyW cIYoIhi4j72iLNdncgF2Wkd8lOh+Oy2nsF+3aCfsAfahaeIK1Nq7QU/DmMJnhJrfuz6h m6L5ZAnnkS6GHy0LcI0KU79JUFmhA78fpg9UKfoVcUIsBHfcyLhuzJHAyJ4XfkjQPH0b TbQVGfiZXlQuztwhQrskNJDzLt1Vc4FN9vRNxRgsZ4pY3PZZPNXgTQFlCiECBaGiT7Cn 54yFw7W96i8j5yC6oU63mbQsuxM5qh0qA8gmZy9++oN8rAWr5Tm24kE+G6yPEMujN+Nq wCZg==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=iq75M1Jj; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=CPRKMo6v; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=SLhEc42T; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id a92af1059eb24-12c74a540efsi7202977c88.51.2026.04.17.09.47.33 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Apr 2026 09:47:33 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=iq75M1Jj; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=CPRKMo6v; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=SLhEc42T; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=BP+Rj8iDIVxt1V68wI94M+IQEBSMLWJfu54jCfOqEhI=; b=iq75M1Jjly6GZo41GUZyPY1jLi mS7c/jATMIjJmncLg85Yitm/tv4sJYsEtlmBVPqq8ZRGn7f/08rSGHAVbOdicdNdRFcZ6JisWCwo4 tktY0UmBbffMuC5zqbtgmV/Klnq9OWUBvaXWifYmdSX9ReZdEuOLnUQ4PrzYQy7jv464=; Received: from [127.0.0.1] (helo=sfs-ml-4.v29.lw.sourceforge.com) by sfs-ml-4.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1wDmLG-0004mc-Ag; Fri, 17 Apr 2026 16:46:54 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-4.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1wDmLE-0004mU-OT for openvpn-devel@lists.sourceforge.net; Fri, 17 Apr 2026 16:46:52 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=XmjvWxGAXXyH88gyNFm+ITQBoa3MmWGn1uLbM9pOlwk=; b=CPRKMo6vxhNNtHafKg/FUUbJwR GxHNwl/pVwP4XDfssp7OicjY+V4QbZ4SIPgFBzm1LWQ3a4aOThBsnP9F5RJd8VGWSnLhIAqyhTych CgCpJP1NShVq3ZJ2iR9mkR10hNDB0/d+tGmRV3XyGPGfunfvDXRZehqFoFvM8/NI2hFc=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=XmjvWxGAXXyH88gyNFm+ITQBoa3MmWGn1uLbM9pOlwk=; b=SLhEc42ToSn03i19oNeKXTsd3g bgB8lLlSq0N4DnAD3q9SQJowOK0KXKRU5+UtnJiqeXdbJSuzvtNqhs7NKZnCw7KEKhLjnHOxtKtUP JuiZxjNrKM/eCDdTD7Nj5Z/J/x0rMDnbNsfe+dH1MDvpvRZaljPBCMwNgBdKsXmnSIok=; Received: from [193.149.48.129] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1wDmLD-0007ge-GM for openvpn-devel@lists.sourceforge.net; Fri, 17 Apr 2026 16:46:52 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 63HGkiI3017928 for ; Fri, 17 Apr 2026 18:46:44 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 63HGki1x017927 for openvpn-devel@lists.sourceforge.net; Fri, 17 Apr 2026 18:46:44 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Fri, 17 Apr 2026 18:46:38 +0200 Message-ID: <20260417164644.17897-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.52.0 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Arne Schwabe The X509_cmp_time function is deprecated in OpenSSL 4.0. So we avoid it and use the new API. Change-Id: I6c2eda0e5bbb3a70b404f821e25ded81f0f5ddd5 Signed-off-by: Arne Schwabe Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1595 [...] Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1wDmLD-0007ge-GM Subject: [Openvpn-devel] [PATCH v5] OpenSSL 4.0: Use X509_check_certificate_times instead of X509_cmp_time X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1862737019530969584?= X-GMAIL-MSGID: =?utf-8?q?1862737019530969584?= From: Arne Schwabe The X509_cmp_time function is deprecated in OpenSSL 4.0. So we avoid it and use the new API. Change-Id: I6c2eda0e5bbb3a70b404f821e25ded81f0f5ddd5 Signed-off-by: Arne Schwabe Acked-by: Gert Doering Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1595 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1595 This mail reflects revision 5 of this Change. Acked-by according to Gerrit (reflected above): Gert Doering diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index efe5b5b..6130dc3 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -634,6 +634,7 @@ #endif /* if OPENSSL_VERSION_NUMBER < 0x30000000L */ } +#if OPENSSL_VERSION_NUMBER < 0x40000000L void tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) { @@ -669,6 +670,60 @@ msg(M_WARN, "WARNING: Your certificate has expired!"); } } +#else +void +tls_ctx_check_cert_time(const struct tls_root_ctx *ctx) +{ + const X509 *cert; + ASSERT(ctx); + + cert = SSL_CTX_get0_certificate(ctx->ctx); + + if (cert == NULL) + { + return; /* Nothing to check if there is no certificate */ + } + + X509_VERIFY_PARAM *vpm = X509_VERIFY_PARAM_new(); + + if (vpm == NULL) + { + msg(D_TLS_DEBUG_MED, "Failed to initialise certificate verification parameters."); + return; + } + + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_USE_CHECK_TIME); + X509_VERIFY_PARAM_set_time(vpm, now); + + int error = 0; + int ret = X509_check_certificate_times(vpm, cert, &error); + X509_VERIFY_PARAM_free(vpm); + + if (ret == 1) + { + return; + } + + switch (error) + { + case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: + msg(D_TLS_DEBUG_MED, "Failed to read certificate notBefore field."); + break; + + case X509_V_ERR_CERT_NOT_YET_VALID: + msg(M_WARN, "WARNING: Your certificate is not yet valid!"); + break; + + case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: + msg(D_TLS_DEBUG_MED, "Failed to read certificate notAfter field."); + break; + + case X509_V_ERR_CERT_HAS_EXPIRED: + msg(M_WARN, "WARNING: Your certificate has expired!"); + break; + } +} +#endif void tls_ctx_load_dh_params(struct tls_root_ctx *ctx, const char *dh_file, bool dh_file_inline)