[ovs-dev] [PATCH 01/15] stream-ssl: Only re-read certificates and keys if they change.
Ben Pfaff
blp at nicira.com
Wed Mar 24 20:18:04 UTC 2010
Commit 415f6c0b1 "stream-ssl: Make no-op reconfiguration cheap" caused
ovsdb-server to re-read its certificates and keys every 60 seconds just
in case they changed. However, doing this causes OpenSSL to drop its
connections. This commit solves the problem by making stream-ssl re-read
certificates and keys only if the files changed.
Bug #2535.
Reported-by: Ram Jothikumar <rjothikumar at nicira.com>
---
configure.ac | 2 ++
lib/stream-ssl.c | 48 ++++++++++++++++++++++++++++++++++++++----------
2 files changed, 40 insertions(+), 10 deletions(-)
diff --git a/configure.ac b/configure.ac
index 1fc6a47..6d49484 100644
--- a/configure.ac
+++ b/configure.ac
@@ -51,6 +51,8 @@ OVS_CHECK_PCRE
OVS_CHECK_PYTHON
OVS_CHECK_IF_PACKET
OVS_CHECK_STRTOK_R
+AC_CHECK_MEMBERS([struct stat.st_mtim.tv_nsec, struct stat.st_mtimensec],
+ [], [], [[#include <sys/stat.h>]])
OVS_CHECK_PKIDIR
OVS_CHECK_RUNDIR
diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index 7858290..215934d 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -133,8 +133,7 @@ static SSL_CTX *ctx;
struct ssl_config_file {
bool read; /* Whether the file was successfully read. */
char *file_name; /* Configured file name, if any. */
- long long int next_retry; /* If 'file_name' but not 'read', next time to
- * retry reading. */
+ struct timespec mtime; /* File mtime as of last time we read it. */
};
/* SSL configuration files. */
@@ -335,9 +334,10 @@ do_ca_cert_bootstrap(struct stream *stream)
fd = open(ca_cert.file_name, O_CREAT | O_EXCL | O_WRONLY, 0444);
if (fd < 0) {
if (errno == EEXIST) {
- VLOG_INFO("reading CA cert %s created by another process",
+ VLOG_INFO("CA cert %s created by another process",
ca_cert.file_name);
- stream_ssl_set_ca_cert_file__(ca_cert.file_name, true);
+ /* We'll read it the next time around the main loop because
+ * update_ssl_config() will see that it now exists. */
return EPROTO;
} else {
VLOG_ERR("could not bootstrap CA cert: creating %s failed: %s",
@@ -910,18 +910,46 @@ stream_ssl_is_configured(void)
return private_key.file_name || certificate.file_name || ca_cert.file_name;
}
+static void
+get_mtime(const char *file_name, struct timespec *mtime)
+{
+ struct stat s;
+
+ if (!stat(file_name, &s)) {
+ mtime->tv_sec = s.st_mtime;
+
+#if HAVE_STRUCT_STAT_ST_MTIM_TV_NSEC
+ mtime->tv_nsec = s.st_mtim.tv_nsec;
+#elif HAVE_STRUCT_STAT_ST_MTIMENSEC
+ mtime->tv_nsec = s.st_mtimensec;
+#else
+ mtime->tv_nsec = 0;
+#endif
+ } else {
+ mtime->tv_sec = mtime->tv_nsec = 0;
+ }
+}
+
static bool
update_ssl_config(struct ssl_config_file *config, const char *file_name)
{
- if (ssl_init()
- || !file_name
- || (config->file_name
- && !strcmp(config->file_name, file_name)
- && time_msec() < config->next_retry)) {
+ struct timespec mtime;
+
+ if (ssl_init() || !file_name) {
+ return false;
+ }
+
+ /* If the file name hasn't changed and neither has the file contents, stop
+ * here. */
+ get_mtime(file_name, &mtime);
+ if (config->file_name
+ && !strcmp(config->file_name, file_name)
+ && mtime.tv_sec == config->mtime.tv_sec
+ && mtime.tv_nsec == config->mtime.tv_nsec) {
return false;
}
- config->next_retry = time_msec() + 60 * 1000;
+ config->mtime = mtime;
free(config->file_name);
config->file_name = xstrdup(file_name);
return true;
--
1.6.6.1
More information about the dev
mailing list