[ovs-dev] [PATCH] stream-ssl: Read existing CA certificate more eagerly during bootstrap.

Justin Pettit jpettit at nicira.com
Fri Apr 9 23:35:42 UTC 2010


Looks good.  Thanks for the quick fix!

--Justin


On Apr 9, 2010, at 4:01 PM, Ben Pfaff wrote:

> When do_ca_cert_bootstrap() attempts to bootstrap a CA certificate from a
> remote host, it gives up if the CA certificate file already exists.  It
> knows that this file did not exist some time earlier (because it checked),
> so it logged a warning and just returns.  The next time that
> stream_ssl_set_ca_cert_file() gets called, it will read the new CA
> certificate file and all will be well.
> 
> That works OK in ovsdb-server, which calls stream_ssl_set_ca_cert_file()
> every time through its main loop.  It does not work well for ovs-vswitchd,
> which only calls that function when it needs to reconfigure.  But it
> should work fine to call it directly from do_ca_cert_bootstrap(), so this
> commit changes it to do that.
> 
> Bug #2635.
> ---
> lib/stream-ssl.c |    5 ++---
> 1 files changed, 2 insertions(+), 3 deletions(-)
> 
> diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
> index 215934d..830b482 100644
> --- a/lib/stream-ssl.c
> +++ b/lib/stream-ssl.c
> @@ -334,10 +334,9 @@ do_ca_cert_bootstrap(struct stream *stream)
>     fd = open(ca_cert.file_name, O_CREAT | O_EXCL | O_WRONLY, 0444);
>     if (fd < 0) {
>         if (errno == EEXIST) {
> -            VLOG_INFO("CA cert %s created by another process",
> +            VLOG_INFO("reading CA cert %s created by another process",
>                       ca_cert.file_name);
> -            /* We'll read it the next time around the main loop because
> -             * update_ssl_config() will see that it now exists. */
> +            stream_ssl_set_ca_cert_file(ca_cert.file_name, true);
>             return EPROTO;
>         } else {
>             VLOG_ERR("could not bootstrap CA cert: creating %s failed: %s",
> -- 
> 1.6.6.1
> 
> 
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev_openvswitch.org





More information about the dev mailing list