mir/openvswitch
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-10-25 15:07:05 +00:00
Code Issues Releases Wiki Activity

stream-ssl: Get peer-ca-cert functionality to work.

Browse Source 
When --certificate option is provided, we currently use
SSL_CTX_use_certificate_chain_file() function to add
that certificate. If our single certificate file had multiple
certificates (as a chain), all of them would get added and sent
to the remote peer. But once you call
SSL_CTX_use_certificate_chain_file(), any future calls to
SSL_CTX_add_extra_chain_cert() (called when --peer-ca-cert option
is used) had no effect.

Since our man pages and INSTALL.SSL.md say that --certificate
is used to specify one certificate and additional certificates
are sent via --peer-ca-cert, this commit changes
SSL_CTX_use_certificate_chain_file() use to
SSL_CTX_use_certificate_file(). With this, additional certificates
can now be added via --peer-ca-cert option.

The test case added with this commit would fail without the
above changes.

Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
This commit is contained in:
Gurucharan Shetty
2015-09-02 11:38:32 -07:00
parent 3d5b9d7843
commit 1b494f3e23
2 changed files with 28 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/stream-ssl.c
View File

@@ -1071,7 +1071,7 @@ stream_ssl_set_private_key_file(const char *file_name)
static void
stream_ssl_set_certificate_file__(const char *file_name)
{
if (SSL_CTX_use_certificate_chain_file(ctx, file_name) == 1) {
if (SSL_CTX_use_certificate_file(ctx, file_name, SSL_FILETYPE_PEM) == 1) {
certificate.read = true;
} else {
VLOG_ERR("SSL_use_certificate_file: %s",

27
tests/ovs-vsctl.at
View File

@@ -1334,3 +1334,30 @@ AT_CHECK([ovs-vsctl -t 5 --no-wait --db=ssl:127.0.0.1:$SSL_PORT --private-key=$P
OVSDB_SERVER_SHUTDOWN
AT_CLEANUP
AT_SETUP([peer ca cert])
AT_KEYWORDS([ovs-vsctl ssl])
AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
PKIDIR=`pwd`
OVS_PKI="sh $abs_top_srcdir/utilities/ovs-pki.in --dir=$PKIDIR/pki --log=$PKIDIR/ovs-pki.log"
AT_CHECK([$OVS_PKI -B 1024 init && $OVS_PKI -B 1024 req+sign vsctl switch && $OVS_PKI -B 1024 req+sign ovsdbserver controller], [0], [ignore], [ignore])
dnl Create database.
OVSDB_INIT([conf.db])
AT_CHECK([ovsdb-server --detach --no-chdir --pidfile="`pwd`"/pid --private-key=$PKIDIR/ovsdbserver-privkey.pem --certificate=$PKIDIR/ovsdbserver-cert.pem --ca-cert=$PKIDIR/pki/switchca/cacert.pem --peer-ca-cert=$PKIDIR/pki/controllerca/cacert.pem --remote=pssl:0:127.0.0.1 --unixctl="`pwd`"/unixctl --log-file="`pwd`"/ovsdb-server.log conf.db], [0], [ignore], [ignore])
on_exit "kill `cat pid`"
SSL_PORT=`parse_listening_port < ovsdb-server.log`
# During bootstrap, the connection gets torn down. So the o/p of ovs-vsctl is error.
AT_CHECK([ovs-vsctl -t 5 --db=ssl:127.0.0.1:$SSL_PORT --private-key=$PKIDIR/vsctl-privkey.pem --certificate=$PKIDIR/vsctl-cert.pem --bootstrap-ca-cert=$PKIDIR/cacert.pem show], [1], [ignore], [ignore])
# If the bootstrap was successful, the following file should exist.
OVS_WAIT_UNTIL([test -e $PKIDIR/cacert.pem])
# After bootstrap, the connection should be successful.
AT_CHECK([ovs-vsctl -t 5 --no-wait --db=ssl:127.0.0.1:$SSL_PORT --private-key=$PKIDIR/vsctl-privkey.pem --certificate=$PKIDIR/vsctl-cert.pem --bootstrap-ca-cert=$PKIDIR/cacert.pem add-br br0], [0])
AT_CHECK([ovs-vsctl -t 5 --no-wait --db=ssl:127.0.0.1:$SSL_PORT --private-key=$PKIDIR/vsctl-privkey.pem --certificate=$PKIDIR/vsctl-cert.pem --bootstrap-ca-cert=$PKIDIR/cacert.pem list-br], [0], [br0
])
OVSDB_SERVER_SHUTDOWN
AT_CLEANUP