config: configure TLS certificate expiration with the new API

5 files changed, 3 insertions, 21 deletions

diff --git a/src/include/ndpi_api.h b/src/include/ndpi_api.h
index 9a0c240f8..df31e30b1 100644
--- a/src/include/ndpi_api.h
+++ b/src/include/ndpi_api.h
@@ -1085,17 +1085,6 @@ extern "C" {
 				    ndpi_protocol_category_t *category,
 				    ndpi_protocol_breed_t *breed);
 
-  /**
-   * Specifies the threshold used to trigger the NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE
-   * flow risk that by default is set to 30 days
-   *
-   * @par    ndpi_struct  = the struct created for the protocol detection
-   * @par    days         = the number of days threshold for emitting the alert
-   *
-   */
-  void ndpi_set_tls_cert_expire_days(struct ndpi_detection_module_struct *ndpi_str,
-				     u_int8_t days);
-
   void ndpi_handle_risk_exceptions(struct ndpi_detection_module_struct *ndpi_str,
 				   struct ndpi_flow_struct *flow);
 
diff --git a/src/include/ndpi_private.h b/src/include/ndpi_private.h
index 7fac6d981..8f7208a05 100644
--- a/src/include/ndpi_private.h
+++ b/src/include/ndpi_private.h
@@ -191,6 +191,7 @@ struct ndpi_detection_module_config_struct {
 
   /* Protocols */
 
+  int tls_certificate_expire_in_x_days;
   int tls_app_blocks_tracking_enabled;
   int tls_sha1_fingerprint_enabled;
 
diff --git a/src/lib/ndpi_main.c b/src/lib/ndpi_main.c
index e191a2877..33278c490 100644
--- a/src/lib/ndpi_main.c
+++ b/src/lib/ndpi_main.c
@@ -3120,7 +3120,6 @@ struct ndpi_detection_module_struct *ndpi_init_detection_module(void) {
   ndpi_str->user_data = NULL;
 
   ndpi_str->tcp_max_retransmission_window_size = NDPI_DEFAULT_MAX_TCP_RETRANSMISSION_WINDOW_SIZE;
-  ndpi_str->tls_certificate_expire_in_x_days = 30; /* NDPI_TLS_CERTIFICATE_ABOUT_TO_EXPIRE flow risk */
 
   ndpi_str->ndpi_num_supported_protocols = NDPI_MAX_SUPPORTED_PROTOCOLS;
   ndpi_str->ndpi_num_custom_protocols = 0;
@@ -10777,6 +10776,7 @@ static const struct cfg_param {
 } cfg_params[] = {
   /* Per-protocol parameters */
 
+  { "tls",           "certificate_expiration_threshold",        "30", "0", "365", CFG_PARAM_INT, __OFF(tls_certificate_expire_in_x_days) },
   { "tls",           "application_blocks_tracking.enable",      "0", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_app_blocks_tracking_enabled) },
   { "tls",           "metadata.sha1_fingerprint.enable",        "1", NULL, NULL, CFG_PARAM_ENABLE_DISABLE, __OFF(tls_sha1_fingerprint_enabled) },
 
diff --git a/src/lib/ndpi_utils.c b/src/lib/ndpi_utils.c
index 3c37f7f5e..03b845c30 100644
--- a/src/lib/ndpi_utils.c
+++ b/src/lib/ndpi_utils.c
@@ -2800,14 +2800,6 @@ u_int8_t ndpi_is_encrypted_proto(struct ndpi_detection_module_struct *ndpi_str,
 
 /* ******************************************* */
 
-void ndpi_set_tls_cert_expire_days(struct ndpi_detection_module_struct *ndpi_str,
-				   u_int8_t num_days) {
-  if(ndpi_str)
-    ndpi_str->tls_certificate_expire_in_x_days = num_days;
-}
-
-/* ******************************************* */
-
 u_int32_t ndpi_get_flow_error_code(struct ndpi_flow_struct *flow) {
   switch(flow->detected_protocol_stack[0] /* app_protocol */) {
   case NDPI_PROTOCOL_DNS:
diff --git a/src/lib/protocols/tls.c b/src/lib/protocols/tls.c
index 11ef6dd4a..87643abe8 100644
--- a/src/lib/protocols/tls.c
+++ b/src/lib/protocols/tls.c
@@ -545,7 +545,7 @@ void processCertificateElements(struct ndpi_detection_module_struct *ndpi_struct
 	      snprintf(str, sizeof(str), "%s - %s", b, e);
 	      ndpi_set_risk(ndpi_struct, flow, NDPI_TLS_CERTIFICATE_EXPIRED, str); /* Certificate expired */
 	    } else if((time_sec > flow->protos.tls_quic.notBefore)
-		      && (time_sec > (flow->protos.tls_quic.notAfter - (ndpi_struct->tls_certificate_expire_in_x_days * 86400)))) {
+		      && (time_sec > (flow->protos.tls_quic.notAfter - (ndpi_struct->cfg.tls_certificate_expire_in_x_days * 86400)))) {
 	      char str[96], b[32], e[32];
 	      struct tm result;
 	      time_t theTime;