Warn user of expired cert

src/dccutil.c

@@ -276,6 +276,8 @@ void dcc_chatter(int idx)
   dcc[idx].u.chat->channel = 234567;
   j = dcc[idx].sock;
   strcpy(dcc[idx].u.chat->con_chan, "***");
+  if (is_owner(dcc[idx].user))
+    verify_cert_expiry(idx);
   check_tcl_chon(dcc[idx].nick, dcc[idx].sock);
   /* Still there? */
   if ((idx >= dcc_total) || (dcc[idx].sock != j))

src/main.c

@@ -705,6 +705,7 @@ static void core_secondly()
             movefile(logs[i].filename, s);
           }
       }
+      verify_cert_expiry(0);
     }
   }
 }

src/proto.h

@@ -310,6 +310,7 @@ int readtclprog(char *fname);
 
 /* tls.c */
 #ifdef TLS
+void verify_cert_expiry(int);
 int ssl_handshake(int, int, int, int, char *, IntFunc);
 char *ssl_fpconv(char *in, char *out);
 const char *ssl_getuid(int sock);

src/tls.c

@@ -109,6 +109,17 @@ static int ssl_seed(void)
   return 0;
 }
 
+void verify_cert_expiry(int idx) {
+  X509 *x509;
+  if ((x509 = SSL_CTX_get0_certificate(ssl_ctx)) &&
+      (ASN1_TIME_cmp_time_t(X509_get0_notAfter(x509), time(NULL)) < 0)) {
+    if (idx)
+        dprintf(idx, "WARNING: certificate expired: %s\n", tls_certfile);
+    else
+      putlog(LOG_MISC, "*", "WARNING: certificate expired: %s", tls_certfile);
+  }
+}
+
 /* Prepares and initializes SSL stuff
  *
  * Creates a context object, supporting SSLv2/v3 & TLSv1 protocols;
@@ -157,6 +168,7 @@ int ssl_init()
           tls_certfile, ERR_error_string(ERR_get_error(), NULL));
       fatal("Unable to load TLS certificate (ssl-certificate config setting)!", 0);
     }
+    verify_cert_expiry(0);
     if (SSL_CTX_use_PrivateKey_file(ssl_ctx, tls_keyfile, SSL_FILETYPE_PEM) != 1) {
       putlog(LOG_MISC, "*", "ERROR: TLS: unable to load private key from %s: %s",
           tls_keyfile, ERR_error_string(ERR_get_error(), NULL));