[ovs-dev] [PATCH 1/2] stream-ssl.c: Fix stream_ssl_set_key_and_cert.

Ilya Maximets i.maximets at ovn.org
Fri May 14 09:43:35 UTC 2021


On 5/13/21 11:33 PM, Han Zhou wrote:
> From the description of this interface, one of the problems it tries to
> solve is when one of the files is changed before the other:
> 
>  * But, if the private
>  * key is changed before the certificate (e.g. someone "scp"s or "mv"s the new
>  * private key in place before the certificate), then OpenSSL would reject that
>  * change, and then the change of certificate would succeed, but there would be
>  * no associated private key (because it had only changed once and therefore
>  * there was no point in re-reading it).
> 
>  * This function avoids both problems by, whenever either the certificate or
>  * the private key file changes, re-reading both of them ...
> 
> However, in the implement it used "&&" instead of "||", and so it was
> in fact re-reading both of them only when both are changed. This patch
> fixes it by using "||".
> 
> Reported-by: Girish Moodalbail <gmoodalbail at gmail.com>
> Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2020-December/050859.html
> Signed-off-by: Han Zhou <hzhou at ovn.org>
> ---
>  lib/stream-ssl.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
> index 078fcbc3a..e67ccb4bd 100644
> --- a/lib/stream-ssl.c
> +++ b/lib/stream-ssl.c
> @@ -1215,7 +1215,7 @@ stream_ssl_set_key_and_cert(const char *private_key_file,
>                              const char *certificate_file)
>  {
>      if (update_ssl_config(&private_key, private_key_file)
> -        && update_ssl_config(&certificate, certificate_file)) {
> +        || update_ssl_config(&certificate, certificate_file)) {
>          stream_ssl_set_certificate_file__(certificate_file);
>          stream_ssl_set_private_key_file__(private_key_file);
>      }
> 

Hi, Han.  Thanks for working on this.

This change might fix the issue, but I'm not sure that updating only
one of the components makes much sense.  I mean, certificate and private
key should match, otherwise setup will be broken while the second
component is not updated, IIUC.

I'm not sure, but maybe you're looking for solution for the same problem
as this patch tries to address:
  https://patchwork.ozlabs.org/project/openvswitch/patch/310a47ca-7f78-b5d1-1d3f-7e52ea0f5dd8@nutanix.com/
?

Bets regards, Ilya Maximets.


More information about the dev mailing list