[ovs-dev] [PATCH 2/3] ovsdb-server: Add the ability to push peer-cert.
Ben Pfaff
blp at nicira.com
Sat Aug 22 16:40:44 UTC 2015
On Fri, Aug 21, 2015 at 03:43:18PM -0700, Gurucharan Shetty wrote:
> On Fri, Aug 21, 2015 at 2:43 PM, Ben Pfaff <blp at nicira.com> wrote:
> > On Thu, Aug 20, 2015 at 10:03:39AM -0700, Gurucharan Shetty wrote:
> I took all your suggestions and pushed the series. I have one question
> for you though.
> In lib/stream-ssl.c there is this piece of code:
>
> /* Check that 'cert' is self-signed. Otherwise it is not a CA
> * certificate and we should not attempt to use it as one. */
> error = X509_check_issued(cert, cert);
> if (error) {
> VLOG_ERR("could not bootstrap CA cert: obtained certificate is "
> "not self-signed (%s)",
> X509_verify_cert_error_string(error));
> if (sk_X509_num(chain) < 2) {
> VLOG_ERR("only one certificate was received, so probably the peer "
> "is not configured to send its CA certificate");
> }
> return EPROTO;
> }
>
>
> Now, what the above does is that it will only let boot-strap happen if
> the controller certificate is self-signed (which is what the unit test
> in this commit does). The bootstrap fails if the controller
> certificate is signed by a CA. The check looks to be explicit and was
> present many years ago, so there must have been a reason for that. Do
> you remember why? The man pages do not mandate this requirement and
> makes you believe that CA certificates are OK.
I'm pretty sure that a certificate is a CA certificate if and only if it
is self-signed.
More information about the dev
mailing list