stream-ssl: Get peer-ca-cert functionality to work.

When --certificate option is provided, we currently use SSL_CTX_use_certificate_chain_file() function to add that certificate. If our single certificate file had multiple certificates (as a chain), all of them would get added and sent to the remote peer. But once you call SSL_CTX_use_certificate_chain_file(), any future calls to SSL_CTX_add_extra_chain_cert() (called when --peer-ca-cert option is used) had no effect. Since our man pages and INSTALL.SSL.md say that --certificate is used to specify one certificate and additional certificates are sent via --peer-ca-cert, this commit changes SSL_CTX_use_certificate_chain_file() use to SSL_CTX_use_certificate_file(). With this, additional certificates can now be added via --peer-ca-cert option. The test case added with this commit would fail without the above changes. Signed-off-by: Gurucharan Shetty <gshetty@nicira.com> Acked-by: Ben Pfaff <blp@nicira.com>
2025-08-30 22:05:19 +00:00 · 2015-09-02 11:38:32 -07:00
parent 3d5b9d7843
commit 1b494f3e23
2 changed files with 28 additions and 1 deletions
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -1071,7 +1071,7 @@ stream_ssl_set_private_key_file(const char *file_name)
 static void
 stream_ssl_set_certificate_file__(const char *file_name)
 {
-    if (SSL_CTX_use_certificate_chain_file(ctx, file_name) == 1) {
+    if (SSL_CTX_use_certificate_file(ctx, file_name, SSL_FILETYPE_PEM) == 1) {
        certificate.read = true;
    } else {
        VLOG_ERR("SSL_use_certificate_file: %s",