[ovs-dev] [PATCH 2/3] ovsdb-server: Add the ability to push peer-cert.

Ben Pfaff blp at nicira.com
Sat Aug 22 16:40:44 UTC 2015

On Fri, Aug 21, 2015 at 03:43:18PM -0700, Gurucharan Shetty wrote:
> On Fri, Aug 21, 2015 at 2:43 PM, Ben Pfaff <blp at nicira.com> wrote:
> > On Thu, Aug 20, 2015 at 10:03:39AM -0700, Gurucharan Shetty wrote:
> I took all your suggestions and pushed the series. I have one question
> for you though.
> In lib/stream-ssl.c there is this piece of code:
> /* Check that 'cert' is self-signed.  Otherwise it is not a CA
>      * certificate and we should not attempt to use it as one. */
>     error = X509_check_issued(cert, cert);
>     if (error) {
>         VLOG_ERR("could not bootstrap CA cert: obtained certificate is "
>                  "not self-signed (%s)",
>                  X509_verify_cert_error_string(error));
>         if (sk_X509_num(chain) < 2) {
>             VLOG_ERR("only one certificate was received, so probably the peer "
>                      "is not configured to send its CA certificate");
>         }
>         return EPROTO;
>     }
> Now, what the above does is that it will only let boot-strap happen if
> the controller certificate is self-signed (which is what the unit test
> in this commit does). The bootstrap fails if the controller
> certificate is signed by a CA. The check looks to be explicit and was
> present many years ago, so there must have been a reason for that. Do
> you remember why? The man pages do not mandate this requirement and
> makes you believe that CA certificates are OK.

I'm pretty sure that a certificate is a CA certificate if and only if it
is self-signed.

More information about the dev mailing list