mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-31 06:15:47 +00:00
Code Issues Releases Wiki Activity

stream-ssl: Clear CAs for certificate verification before adding new ones.

Browse Source 
If the CA certificate changed and OVS added the new CA certificate, the
change was ineffective.  Clearing the certificate store before adding the
new CA certificate fixes the problem.

I don't know exactly why this fixes the problem, but in my testing it does.

Bug #2921.
Reported-by: Dan Wendlandt <dan@nicira.com>
Reported-by: Pierre Ettori <pettori@nicira.com>
This commit is contained in:
Ben Pfaff
2011-06-15 11:50:24 -07:00
parent 7211b387b7
commit e6a8ca62a6
1 changed files with 2 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
lib/stream-ssl.c
View File

@@ -413,6 +413,7 @@ do_ca_cert_bootstrap(struct stream *stream)
if (!cert) {
out_of_memory();
}
SSL_CTX_set_cert_store(ctx, X509_STORE_new());
if (SSL_CTX_load_verify_locations(ctx, ca_cert.file_name, NULL) != 1) {
VLOG_ERR("SSL_CTX_load_verify_locations: %s",
ERR_error_string(ERR_get_error(), NULL));
@@ -1215,6 +1216,7 @@ stream_ssl_set_ca_cert_file__(const char *file_name,
/* Set up CAs for OpenSSL to trust in verifying the peer's
* certificate. */
SSL_CTX_set_cert_store(ctx, X509_STORE_new());
if (SSL_CTX_load_verify_locations(ctx, file_name, NULL) != 1) {
VLOG_ERR("SSL_CTX_load_verify_locations: %s",
ERR_error_string(ERR_get_error(), NULL));