[ovs-dev] [PATCH 2/2] stream-ssl: Get peer-ca-cert functionality to work.
Gurucharan Shetty
shettyg at nicira.com
Fri Sep 11 16:00:33 UTC 2015
On Tue, Sep 8, 2015 at 3:36 PM, Ben Pfaff <blp at nicira.com> wrote:
> On Wed, Sep 02, 2015 at 01:02:39PM -0700, Gurucharan Shetty wrote:
>> When --certificate option is provided, we currently use
>> SSL_CTX_use_certificate_chain_file() function to add
>> that certificate. If our single certificate file had multiple
>> certificates (as a chain), all of them would get added and sent
>> to the remote peer. But once you call
>> SSL_CTX_use_certificate_chain_file(), any future calls to
>> SSL_CTX_add_extra_chain_cert() (called when --peer-ca-cert option
>> is used) had no effect.
>>
>> Since our man pages and INSTALL.SSL.md say that --certificate
>> is used to specify one certificate and additional certificates
>> are sent via --peer-ca-cert, this commit changes
>> SSL_CTX_use_certificate_chain_file() use to
>> SSL_CTX_use_certificate_file(). With this, additional certificates
>> can now be added via --peer-ca-cert option.
>>
>> The test case added with this commit would fail without the
>> above changes.
>>
>> Signed-off-by: Gurucharan Shetty <gshetty at nicira.com>
>
> The use of "command pwd" is puzzling here, does it have something to do
> with Windows? But I thought we'd fixed the problem that ovs-pki had
> with Windows, so is it necessary?
Ugh, I had this test in my tree before the ovs-pki fix went in, and I forgot.
>
> +AT_SETUP([peer ca cert])
> +AT_KEYWORDS([ovs-vsctl ssl])
> +AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
> +PKIDIR=`command pwd`
>
> The &&s and \s here are a little puzzling too. Do they do something
> useful? (Should we be checking return values by using AT_CHECK?)
>
> $OVS_PKI -B 1024 init && \
> $OVS_PKI -B 1024 req+sign vsctl switch && \
> $OVS_PKI -B 1024 req+sign ovsdbserver controller
I will do that.
>
> I see why the initial execution of ovs-vsctl ignores the output, but
> could the post-bootstrap connection check the output? It would be a
> better test if it did.
I will do this. This also has to be done for the previous patch. So I
will resend the series.
>
> Thanks,
>
> Ben.
More information about the dev
mailing list