From 44ffcfc05edf18c1669777e7b5efcf4be0388ce0 Mon Sep 17 00:00:00 2001
From: Michael Ortmann <41313082+michaelortmann@users.noreply.github.com>
Date: Mon, 13 Feb 2023 20:46:28 +0100
Subject: [PATCH] Warn user of expired cert

---
 src/main.c  | 1 +
 src/proto.h | 1 +
 src/tls.c   | 8 ++++++++
 3 files changed, 10 insertions(+)

diff --git a/src/main.c b/src/main.c
index 9ab60c6de..4a3146f0c 100644
--- a/src/main.c
+++ b/src/main.c
@@ -681,6 +681,7 @@ static void core_secondly()
             logs[j].f = NULL;
           }
         }
+        verify_cert_expiry();
       }
     }
     if (nowtm.tm_min == notify_users_at)
diff --git a/src/proto.h b/src/proto.h
index f1940773b..4c62922d9 100644
--- a/src/proto.h
+++ b/src/proto.h
@@ -310,6 +310,7 @@ int readtclprog(char *fname);
 
 /* tls.c */
 #ifdef TLS
+void verify_cert_expiry();
 int ssl_handshake(int, int, int, int, char *, IntFunc);
 char *ssl_fpconv(char *in, char *out);
 const char *ssl_getuid(int sock);
diff --git a/src/tls.c b/src/tls.c
index 5125a3a7d..a4296ddee 100644
--- a/src/tls.c
+++ b/src/tls.c
@@ -109,6 +109,13 @@ static int ssl_seed(void)
   return 0;
 }
 
+void verify_cert_expiry() {
+  X509 *x509;
+  if ((x509 = SSL_CTX_get0_certificate(ssl_ctx)) &&
+      (ASN1_TIME_cmp_time_t(X509_get0_notAfter(x509), time(NULL)) < 0))
+    putlog(LOG_MISC, "*", "WARNING: certificate expired: %s", tls_certfile);
+}
+
 /* Prepares and initializes SSL stuff
  *
  * Creates a context object, supporting SSLv2/v3 & TLSv1 protocols;
@@ -157,6 +164,7 @@ int ssl_init()
           tls_certfile, ERR_error_string(ERR_get_error(), NULL));
       fatal("Unable to load TLS certificate (ssl-certificate config setting)!", 0);
     }
+    verify_cert_expiry();
     if (SSL_CTX_use_PrivateKey_file(ssl_ctx, tls_keyfile, SSL_FILETYPE_PEM) != 1) {
       putlog(LOG_MISC, "*", "ERROR: TLS: unable to load private key from %s: %s",
           tls_keyfile, ERR_error_string(ERR_get_error(), NULL));