[ovs-dev] [PATCH] bugfix of ovsdb-client connecting error when updating ca_crt.pem file many times

Liuyongqiang (A) liu.liuyongqiang at huawei.com
Tue Oct 13 12:41:14 UTC 2015


>From 786c6d16ab18197a750f832e4eed1ccfa1183d04 Mon Sep 17 00:00:00 2001
From: YongQiangLiu <liu.liuyongqiang at huawei.com>
Date: Tue, 13 Oct 2015 19:37:32 +0800
Subject: [PATCH] bugfix of ovsdb-client connecting error when updating
 ca_crt.pem file many times

this patch fixed the bug of ovsdb-client connecting failed when user update ca crt
file upto 649 times

Signed-off-by: YongQiangLiu <liu.liuyongqiang at huawei.com>
---
 lib/stream-ssl.c | 21 +++++----------------
 1 file changed, 5 insertions(+), 16 deletions(-)

diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index 564c94c..a8de4c1 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -1245,6 +1245,7 @@ stream_ssl_set_ca_cert_file__(const char *file_name,
     X509 **certs;
     size_t n_certs;
     struct stat s;
+    STACK_OF(X509_NAME) *cert_names = NULL;
 
     if (!update_ssl_config(&ca_cert, file_name) && !force) {
         return;
@@ -1256,23 +1257,9 @@ stream_ssl_set_ca_cert_file__(const char *file_name,
                   "(this is a security risk)");
     } else if (bootstrap && stat(file_name, &s) && errno == ENOENT) {
         bootstrap_ca_cert = true;
-    } else if (!read_cert_file(file_name, &certs, &n_certs)) {
-        size_t i;
-
-        /* Set up list of CAs that the server will accept from the client. */
-        for (i = 0; i < n_certs; i++) {
-            /* SSL_CTX_add_client_CA makes a copy of the relevant data. */
-            if (SSL_CTX_add_client_CA(ctx, certs[i]) != 1) {
-                VLOG_ERR("failed to add client certificate %"PRIuSIZE" from %s: %s",
-                         i, file_name,
-                         ERR_error_string(ERR_get_error(), NULL));
-            } else {
-                log_ca_cert(file_name, certs[i]);
-            }
-            X509_free(certs[i]);
-        }
-        free(certs);
+    } else if ((cert_names = SSL_load_client_CA_file(file_name) ) != NULL) {
 
+        SSL_CTX_set_client_CA_list(ctx, cert_names);
         /* Set up CAs for OpenSSL to trust in verifying the peer's
          * certificate. */
         SSL_CTX_set_cert_store(ctx, X509_STORE_new());
@@ -1283,6 +1270,8 @@ stream_ssl_set_ca_cert_file__(const char *file_name,
         }
 
         bootstrap_ca_cert = false;
+    }else if (cert_names == NULL) {
+        VLOG_ERR("failed to load client certificates  from %s: %s", file_name, ERR_error_string(ERR_get_error(), NULL));
     }
     ca_cert.read = true;
 }
-- 
1.9.4.msysgit.1




More information about the dev mailing list