Warn users when their client certificate is about to expire.

Closes #1938.

docs/conf/modules.conf.example

@@ -2318,9 +2318,11 @@
 # If you want to prevent users from viewing TLS (SSL) certificate information
 # and fingerprints of other users, set operonly to yes. You can also set hash
 # to an IANA Hash Function Textual Name to use the SSL fingerprint sent by a
-# WebIRC gateway (requires the cgiirc module).
+# WebIRC gateway (requires the cgiirc module) and warnexpiring to warn users
+# when their client certificate is about to expire.
 #<sslinfo operonly="no"
-#         hash="sha-256">
+#         hash="sha-256"
+#         warnexpiring="1w">
 
 #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
 # mbedTLS TLS (SSL) module: Adds support for TLS (SSL) connections using mbedTLS.

src/modules/m_sslinfo.cpp

@@ -253,6 +253,7 @@ class ModuleSSLInfo
  private:
 	CommandSSLInfo cmd;
 	std::string hash;
+	unsigned long warnexpiring;
 
 	bool MatchFP(ssl_cert* const cert, const std::string& fp) const
 	{
@@ -273,6 +274,7 @@ class ModuleSSLInfo
 		ConfigTag* tag = ServerInstance->Config->ConfValue("sslinfo");
 		cmd.operonlyfp = tag->getBool("operonly");
 		hash = tag->getString("hash");
+		warnexpiring = tag->getDuration("warnexpiring", 0, 0, 60*60*24*365);
 	}
 
 	Version GetVersion() CXX11_OVERRIDE
@@ -386,6 +388,19 @@ class ModuleSSLInfo
 			if (do_login)
 				user->Oper(ifo);
 		}
+
+		if (!warnexpiring || !cert->GetExpirationTime())
+			return;
+
+		if (ServerInstance->Time() > cert->GetExpirationTime())
+		{
+			user->WriteNotice("*** Your TLS (SSL) client certificate has expired.");
+		}
+		else if (static_cast<time_t>(ServerInstance->Time() + warnexpiring) > cert->GetExpirationTime())
+		{
+			const std::string duration = InspIRCd::DurationString(cert->GetExpirationTime() - ServerInstance->Time());
+			user->WriteNotice("*** Your TLS (SSL) client certificate expires in " + duration + ".");
+		}
 	}
 
 	ModResult OnSetConnectClass(LocalUser* user, ConnectClass* myclass) CXX11_OVERRIDE