[ovs-dev] [PATCH 2/2] vswitchd: Refresh SSL keys and certificates more frequently.

Justin Pettit jpettit at nicira.com
Thu Aug 5 19:47:07 UTC 2010


Looks good.

--Justin


On Aug 5, 2010, at 10:00 AM, Ben Pfaff wrote:

> Until now, the ovs-vswitchd main loop has refreshed keys and certificates
> from their files only when the database changes.  This works fine if new
> keys and certificates are installed with new file names, because the update
> to the database to point to the new files will cause them to be read.  But
> if the new keys and certificates are copied over the existing files, then
> the delay until they are read is indefinite.
> 
> This commit fixes the problem by changing the SSL configuration so that it
> is rechecked on every trip through the ovs-vswitchd main loop.
> 
> Bug #2921.
> ---
> vswitchd/bridge.c |   37 ++++++++++++++++++-------------------
> 1 files changed, 18 insertions(+), 19 deletions(-)
> 
> diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c
> index 0397e0a..7174f2c 100644
> --- a/vswitchd/bridge.c
> +++ b/vswitchd/bridge.c
> @@ -344,18 +344,6 @@ bridge_configure_once(const struct ovsrec_open_vswitch *cfg)
>     svec_destroy(&dpif_types);
> }
> 
> -#ifdef HAVE_OPENSSL
> -static void
> -bridge_configure_ssl(const struct ovsrec_ssl *ssl)
> -{
> -    /* XXX SSL should be configurable on a per-bridge basis. */
> -    if (ssl) {
> -        stream_ssl_set_key_and_cert(ssl->private_key, ssl->certificate);
> -        stream_ssl_set_ca_cert_file(ssl->ca_cert, ssl->bootstrap_ca_cert);
> -    }
> -}
> -#endif
> -
> /* Attempt to create the network device 'iface_name' through the netdev
>  * library. */
> static int
> @@ -595,11 +583,6 @@ bridge_reconfigure(const struct ovsrec_open_vswitch *ovs_cfg)
>     shash_destroy(&old_br);
>     shash_destroy(&new_br);
> 
> -#ifdef HAVE_OPENSSL
> -    /* Configure SSL. */
> -    bridge_configure_ssl(ovs_cfg->ssl);
> -#endif
> -
>     /* Reconfigure all bridges. */
>     LIST_FOR_EACH (br, struct bridge, node, &all_bridges) {
>         bridge_reconfigure_one(br);
> @@ -1105,7 +1088,10 @@ iface_refresh_stats(struct iface *iface)
> void
> bridge_run(void)
> {
> +    const struct ovsrec_open_vswitch *cfg;
> +
>     bool datapath_destroyed;
> +    bool database_changed;
>     struct bridge *br;
> 
>     /* Let each bridge do the work that it needs to do. */
> @@ -1121,8 +1107,9 @@ bridge_run(void)
>     }
> 
>     /* (Re)configure if necessary. */
> -    if (ovsdb_idl_run(idl) || datapath_destroyed) {
> -        const struct ovsrec_open_vswitch *cfg = ovsrec_open_vswitch_first(idl);
> +    database_changed = ovsdb_idl_run(idl);
> +    cfg = ovsrec_open_vswitch_first(idl);
> +    if (database_changed || datapath_destroyed) {
>         if (cfg) {
>             struct ovsdb_idl_txn *txn = ovsdb_idl_txn_create(idl);
> 
> @@ -1141,6 +1128,18 @@ bridge_run(void)
>         }
>     }
> 
> +#ifdef HAVE_OPENSSL
> +    /* Re-configure SSL.  We do this on every trip through the main loop,
> +     * instead of just when the database changes, because the contents of the
> +     * key and certificate files can change without the database changing. */
> +    if (cfg && cfg->ssl) {
> +        const struct ovsrec_ssl *ssl = cfg->ssl;
> +
> +        stream_ssl_set_key_and_cert(ssl->private_key, ssl->certificate);
> +        stream_ssl_set_ca_cert_file(ssl->ca_cert, ssl->bootstrap_ca_cert);
> +    }
> +#endif
> +
>     /* Refresh interface stats if necessary. */
>     if (time_msec() >= iface_stats_timer) {
>         struct ovsdb_idl_txn *txn;
> -- 
> 1.7.1
> 
> 
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev_openvswitch.org





More information about the dev mailing list