Mercurial > p > dcplusplus > code

changeset 4036:2b88a8834e4a

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Make self-signed certs valid for a year and regenerate them sooner than the expiration date; makes cert expirations less likely when clients are running for extra long times
author eMTee <emtee11@gmail.com>
date Thu, 26 Jun 2025 14:45:21 +0200
parents 7bd41259caa3
children f4476e125023
files changelog.txt dcpp/CryptoManager.cpp dcpp/CryptoManager.h
diffstat 3 files changed, 11 insertions(+), 6 deletions(-) [+]
line wrap: on
line diff
--- a/changelog.txt	Thu Jun 26 11:32:48 2025 +0200
+++ b/changelog.txt	Thu Jun 26 14:45:21 2025 +0200
@@ -1,3 +1,4 @@
+* [L#1981899] Make self generated certs valid for a year, regenerate them sooner than the expriation time (code adapted from AirDC++) (emtee)
 * Meaningful TLS error messages (code adapted from AirDC++) (emtee)
 * [L#2078913] Fix NAT-PNP mapping removal (maksis)
 * [L#1194085] Avoid flooding with infinite full tree requests (emtee)
@@ -7,6 +8,8 @@
 * [L#2111115] Fix hash pausing so it always works instantly (emtee)
 * Update OpenSSL to version 3.2.4
 
+  (#) denotes code adapted from AirDC++
+
 -- 0.882 2024-11-09 --
 * Show share totals information in main window statusbar (iceman50)
 * [L#1828593] Save segment progress info of running downloads upon OS shutdown (emtee)
--- a/dcpp/CryptoManager.cpp	Thu Jun 26 11:32:48 2025 +0200
+++ b/dcpp/CryptoManager.cpp	Thu Jun 26 14:45:21 2025 +0200
@@ -164,7 +164,7 @@
 		throw CryptoException(_("Error generating certificate"));
 	}
 
-	int days = 90;
+	int days = 365;
 	int keylength = 2048;
 
 #define CHECK(n) if(!(n)) { throw CryptoException(#n); }
@@ -249,8 +249,9 @@
 		return;
 	}
 
-	if(File::getSize(cert) == -1 || File::getSize(key) == -1 || !checkCertificate()) {
-		// Try to generate them...
+	// If not found, invalid or expire within 90 days...
+	if(File::getSize(cert) == -1 || File::getSize(key) == -1 || !checkCertificate(90)) {
+		// Try to (re)generate them...
 		try {
 			generateCertificate();
 			LogManager::getInstance()->message(_("Generated new TLS certificate"));
@@ -294,7 +295,7 @@
 	certsLoaded = true;
 }
 
-bool CryptoManager::checkCertificate() noexcept {
+bool CryptoManager::checkCertificate(int minValidityDays) noexcept {
 	auto x509 = ssl::getX509(SETTING(TLS_CERTIFICATE_FILE).c_str());
 	if(!x509) {
 		return false;
@@ -317,7 +318,8 @@
 
 	ASN1_TIME* t = X509_get_notAfter(x509);
 	if(t) {
-		if(X509_cmp_current_time(t) < 0) {
+		time_t minValid = GET_TIME() + 60 * 60 * 24 * minValidityDays;
+		if (X509_cmp_time(t, &minValid) < 0) {
 			return false;
 		}
 	}
--- a/dcpp/CryptoManager.h	Thu Jun 26 11:32:48 2025 +0200
+++ b/dcpp/CryptoManager.h	Thu Jun 26 14:45:21 2025 +0200
@@ -58,7 +58,7 @@
 
 	void loadCertificates() noexcept;
 	void generateCertificate();
-	bool checkCertificate() noexcept;
+	bool checkCertificate(int minValidityDays = 0) noexcept;
 	const ByteVector& getKeyprint() const noexcept;
 
 	bool TLSOk() const noexcept;