[ovs-dev] [PATCH 2/2] vswitchd: Refresh SSL keys and certificates more frequently.

Ben Pfaff blp at nicira.com
Thu Aug 5 20:11:28 UTC 2010


Thank you.

I pushed these two out.

On Thu, Aug 05, 2010 at 12:47:07PM -0700, Justin Pettit wrote:
> Looks good.
> 
> --Justin
> 
> 
> On Aug 5, 2010, at 10:00 AM, Ben Pfaff wrote:
> 
> > Until now, the ovs-vswitchd main loop has refreshed keys and certificates
> > from their files only when the database changes.  This works fine if new
> > keys and certificates are installed with new file names, because the update
> > to the database to point to the new files will cause them to be read.  But
> > if the new keys and certificates are copied over the existing files, then
> > the delay until they are read is indefinite.
> > 
> > This commit fixes the problem by changing the SSL configuration so that it
> > is rechecked on every trip through the ovs-vswitchd main loop.
> > 
> > Bug #2921.
> > ---
> > vswitchd/bridge.c |   37 ++++++++++++++++++-------------------
> > 1 files changed, 18 insertions(+), 19 deletions(-)
> > 
> > diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c
> > index 0397e0a..7174f2c 100644
> > --- a/vswitchd/bridge.c
> > +++ b/vswitchd/bridge.c
> > @@ -344,18 +344,6 @@ bridge_configure_once(const struct ovsrec_open_vswitch *cfg)
> >     svec_destroy(&dpif_types);
> > }
> > 
> > -#ifdef HAVE_OPENSSL
> > -static void
> > -bridge_configure_ssl(const struct ovsrec_ssl *ssl)
> > -{
> > -    /* XXX SSL should be configurable on a per-bridge basis. */
> > -    if (ssl) {
> > -        stream_ssl_set_key_and_cert(ssl->private_key, ssl->certificate);
> > -        stream_ssl_set_ca_cert_file(ssl->ca_cert, ssl->bootstrap_ca_cert);
> > -    }
> > -}
> > -#endif
> > -
> > /* Attempt to create the network device 'iface_name' through the netdev
> >  * library. */
> > static int
> > @@ -595,11 +583,6 @@ bridge_reconfigure(const struct ovsrec_open_vswitch *ovs_cfg)
> >     shash_destroy(&old_br);
> >     shash_destroy(&new_br);
> > 
> > -#ifdef HAVE_OPENSSL
> > -    /* Configure SSL. */
> > -    bridge_configure_ssl(ovs_cfg->ssl);
> > -#endif
> > -
> >     /* Reconfigure all bridges. */
> >     LIST_FOR_EACH (br, struct bridge, node, &all_bridges) {
> >         bridge_reconfigure_one(br);
> > @@ -1105,7 +1088,10 @@ iface_refresh_stats(struct iface *iface)
> > void
> > bridge_run(void)
> > {
> > +    const struct ovsrec_open_vswitch *cfg;
> > +
> >     bool datapath_destroyed;
> > +    bool database_changed;
> >     struct bridge *br;
> > 
> >     /* Let each bridge do the work that it needs to do. */
> > @@ -1121,8 +1107,9 @@ bridge_run(void)
> >     }
> > 
> >     /* (Re)configure if necessary. */
> > -    if (ovsdb_idl_run(idl) || datapath_destroyed) {
> > -        const struct ovsrec_open_vswitch *cfg = ovsrec_open_vswitch_first(idl);
> > +    database_changed = ovsdb_idl_run(idl);
> > +    cfg = ovsrec_open_vswitch_first(idl);
> > +    if (database_changed || datapath_destroyed) {
> >         if (cfg) {
> >             struct ovsdb_idl_txn *txn = ovsdb_idl_txn_create(idl);
> > 
> > @@ -1141,6 +1128,18 @@ bridge_run(void)
> >         }
> >     }
> > 
> > +#ifdef HAVE_OPENSSL
> > +    /* Re-configure SSL.  We do this on every trip through the main loop,
> > +     * instead of just when the database changes, because the contents of the
> > +     * key and certificate files can change without the database changing. */
> > +    if (cfg && cfg->ssl) {
> > +        const struct ovsrec_ssl *ssl = cfg->ssl;
> > +
> > +        stream_ssl_set_key_and_cert(ssl->private_key, ssl->certificate);
> > +        stream_ssl_set_ca_cert_file(ssl->ca_cert, ssl->bootstrap_ca_cert);
> > +    }
> > +#endif
> > +
> >     /* Refresh interface stats if necessary. */
> >     if (time_msec() >= iface_stats_timer) {
> >         struct ovsdb_idl_txn *txn;
> > -- 
> > 1.7.1
> > 
> > 
> > _______________________________________________
> > dev mailing list
> > dev at openvswitch.org
> > http://openvswitch.org/mailman/listinfo/dev_openvswitch.org
> 




More information about the dev mailing list