I'm not familiar enough with OpenSSL to really understand what's going on, but
I don't see anything obviously wrong with this.
--Justin
On Jun 15, 2011, at 11:50 AM, Ben Pfaff wrote:
> If the CA certificate changed and OVS added the new CA certificate, the
> change was ineffective. Clearing the certificate store before adding the
> new CA certificate fixes the problem.
>
> I don't know exactly why this fixes the problem, but in my testing it does.
>
> Bug #2921.
> Reported-by: Dan Wendlandt <d...@nicira.com>
> Reported-by: Pierre Ettori <pett...@nicira.com>
> ---
> lib/stream-ssl.c | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
> index 22066e1..26646b4 100644
> --- a/lib/stream-ssl.c
> +++ b/lib/stream-ssl.c
> @@ -412,6 +412,7 @@ do_ca_cert_bootstrap(struct stream *stream)
> if (!cert) {
> out_of_memory();
> }
> + SSL_CTX_set_cert_store(ctx, X509_STORE_new());
> if (SSL_CTX_load_verify_locations(ctx, ca_cert.file_name, NULL) != 1) {
> VLOG_ERR("SSL_CTX_load_verify_locations: %s",
> ERR_error_string(ERR_get_error(), NULL));
> @@ -1206,6 +1207,7 @@ stream_ssl_set_ca_cert_file__(const char *file_name,
> bool bootstrap)
>
> /* Set up CAs for OpenSSL to trust in verifying the peer's
> * certificate. */
> + SSL_CTX_set_cert_store(ctx, X509_STORE_new());
> if (SSL_CTX_load_verify_locations(ctx, file_name, NULL) != 1) {
> VLOG_ERR("SSL_CTX_load_verify_locations: %s",
> ERR_error_string(ERR_get_error(), NULL));
> --
> 1.7.4.4
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
