[ovs-dev] [PATCH] stream-ssl: Read existing CA certificate more eagerly during bootstrap.
Ben Pfaff
blp at nicira.com
Mon Apr 12 17:52:52 UTC 2010
Thanks, I pushed this out.
On Fri, Apr 09, 2010 at 04:35:42PM -0700, Justin Pettit wrote:
> Looks good. Thanks for the quick fix!
>
> --Justin
>
>
> On Apr 9, 2010, at 4:01 PM, Ben Pfaff wrote:
>
> > When do_ca_cert_bootstrap() attempts to bootstrap a CA certificate from a
> > remote host, it gives up if the CA certificate file already exists. It
> > knows that this file did not exist some time earlier (because it checked),
> > so it logged a warning and just returns. The next time that
> > stream_ssl_set_ca_cert_file() gets called, it will read the new CA
> > certificate file and all will be well.
> >
> > That works OK in ovsdb-server, which calls stream_ssl_set_ca_cert_file()
> > every time through its main loop. It does not work well for ovs-vswitchd,
> > which only calls that function when it needs to reconfigure. But it
> > should work fine to call it directly from do_ca_cert_bootstrap(), so this
> > commit changes it to do that.
> >
> > Bug #2635.
> > ---
> > lib/stream-ssl.c | 5 ++---
> > 1 files changed, 2 insertions(+), 3 deletions(-)
> >
> > diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
> > index 215934d..830b482 100644
> > --- a/lib/stream-ssl.c
> > +++ b/lib/stream-ssl.c
> > @@ -334,10 +334,9 @@ do_ca_cert_bootstrap(struct stream *stream)
> > fd = open(ca_cert.file_name, O_CREAT | O_EXCL | O_WRONLY, 0444);
> > if (fd < 0) {
> > if (errno == EEXIST) {
> > - VLOG_INFO("CA cert %s created by another process",
> > + VLOG_INFO("reading CA cert %s created by another process",
> > ca_cert.file_name);
> > - /* We'll read it the next time around the main loop because
> > - * update_ssl_config() will see that it now exists. */
> > + stream_ssl_set_ca_cert_file(ca_cert.file_name, true);
> > return EPROTO;
> > } else {
> > VLOG_ERR("could not bootstrap CA cert: creating %s failed: %s",
> > --
> > 1.6.6.1
> >
> >
> > _______________________________________________
> > dev mailing list
> > dev at openvswitch.org
> > http://openvswitch.org/mailman/listinfo/dev_openvswitch.org
>
More information about the dev
mailing list