[ovs-dev] [PATCH 2/2] stream-ssl: Get peer-ca-cert functionality to work.

Gurucharan Shetty shettyg at nicira.com
Fri Sep 11 16:00:33 UTC 2015 

On Tue, Sep 8, 2015 at 3:36 PM, Ben Pfaff <blp at nicira.com> wrote:
> On Wed, Sep 02, 2015 at 01:02:39PM -0700, Gurucharan Shetty wrote:
>> When --certificate option is provided, we currently use
>> SSL_CTX_use_certificate_chain_file() function to add
>> that certificate. If our single certificate file had multiple
>> certificates (as a chain), all of them would get added and sent
>> to the remote peer. But once you call
>> SSL_CTX_use_certificate_chain_file(), any future calls to
>> SSL_CTX_add_extra_chain_cert() (called when --peer-ca-cert option
>> is used) had no effect.
>>
>> Since our man pages and INSTALL.SSL.md say that --certificate
>> is used to specify one certificate and additional certificates
>> are sent via --peer-ca-cert, this commit changes
>> SSL_CTX_use_certificate_chain_file() use to
>> SSL_CTX_use_certificate_file(). With this, additional certificates
>> can now be added via --peer-ca-cert option.
>>
>> The test case added with this commit would fail without the
>> above changes.
>>
>> Signed-off-by: Gurucharan Shetty <gshetty at nicira.com>
>
> The use of "command pwd" is puzzling here, does it have something to do
> with Windows?  But I thought we'd fixed the problem that ovs-pki had
> with Windows, so is it necessary?

Ugh, I had this test in my tree before the ovs-pki fix went in, and I forgot.

>
>     +AT_SETUP([peer ca cert])
>     +AT_KEYWORDS([ovs-vsctl ssl])
>     +AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
>     +PKIDIR=`command pwd`
>
> The &&s and \s here are a little puzzling too.  Do they do something
> useful?  (Should we be checking return values by using AT_CHECK?)
>
>     $OVS_PKI -B 1024 init && \
>     $OVS_PKI -B 1024 req+sign vsctl switch && \
>     $OVS_PKI -B 1024 req+sign ovsdbserver controller

I will do that.

>
> I see why the initial execution of ovs-vsctl ignores the output, but
> could the post-bootstrap connection check the output?  It would be a
> better test if it did.

I will do this. This also has to be done for the previous patch. So I
will resend the series.

>
> Thanks,
>
> Ben.

More information about the dev mailing list