ouch/inspircd
2
0
Fork 0
mirror of https://github.com/inspircd/inspircd.git synced 2025-03-09 18:49:03 -04:00
Code Issues Packages Projects Releases Wiki Activity

Warn users when their client certificate is about to expire.

Browse Source 
Closes #1938.
This commit is contained in:
Sadie Powell 2023-03-01 20:07:27 +00:00
parent 5a24fb0f61
commit 4e1d7b84f5
2 changed files with 19 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
docs/conf/modules.conf.example
View File

@ -2318,9 +2318,11 @@
# If you want to prevent users from viewing TLS (SSL) certificate information # If you want to prevent users from viewing TLS (SSL) certificate information
# and fingerprints of other users, set operonly to yes. You can also set hash # and fingerprints of other users, set operonly to yes. You can also set hash
# to an IANA Hash Function Textual Name to use the SSL fingerprint sent by a # to an IANA Hash Function Textual Name to use the SSL fingerprint sent by a
# WebIRC gateway (requires the cgiirc module). # WebIRC gateway (requires the cgiirc module) and warnexpiring to warn users
# when their client certificate is about to expire.
#<sslinfo operonly="no" #<sslinfo operonly="no"
# hash="sha-256"> # hash="sha-256"
# warnexpiring="1w">
#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-# #-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#
# mbedTLS TLS (SSL) module: Adds support for TLS (SSL) connections using mbedTLS. # mbedTLS TLS (SSL) module: Adds support for TLS (SSL) connections using mbedTLS.

15
src/modules/m_sslinfo.cpp
View File

@ -253,6 +253,7 @@ class ModuleSSLInfo
private: private:
CommandSSLInfo cmd; CommandSSLInfo cmd;
std::string hash; std::string hash;
unsigned long warnexpiring;
bool MatchFP(ssl_cert* const cert, const std::string& fp) const bool MatchFP(ssl_cert* const cert, const std::string& fp) const
{ {
@ -273,6 +274,7 @@ class ModuleSSLInfo
ConfigTag* tag = ServerInstance->Config->ConfValue("sslinfo"); ConfigTag* tag = ServerInstance->Config->ConfValue("sslinfo");
cmd.operonlyfp = tag->getBool("operonly"); cmd.operonlyfp = tag->getBool("operonly");
hash = tag->getString("hash"); hash = tag->getString("hash");
warnexpiring = tag->getDuration("warnexpiring", 0, 0, 60*60*24*365);
} }
Version GetVersion() CXX11_OVERRIDE Version GetVersion() CXX11_OVERRIDE
@ -386,6 +388,19 @@ class ModuleSSLInfo
if (do_login) if (do_login)
user->Oper(ifo); user->Oper(ifo);
} }
if (!warnexpiring || !cert->GetExpirationTime())
return;
if (ServerInstance->Time() > cert->GetExpirationTime())
{
user->WriteNotice("*** Your TLS (SSL) client certificate has expired.");
}
else if (static_cast<time_t>(ServerInstance->Time() + warnexpiring) > cert->GetExpirationTime())
{
const std::string duration = InspIRCd::DurationString(cert->GetExpirationTime() - ServerInstance->Time());
user->WriteNotice("*** Your TLS (SSL) client certificate expires in " + duration + ".");
}
} }
ModResult OnSetConnectClass(LocalUser* user, ConnectClass* myclass) CXX11_OVERRIDE ModResult OnSetConnectClass(LocalUser* user, ConnectClass* myclass) CXX11_OVERRIDE