Thanks, I pushed this.
On Fri, Jun 17, 2011 at 10:46:29AM -0700, Justin Pettit wrote:
> I'm not familiar enough with OpenSSL to really understand what's
> going on, but I don't see anything obviously wrong with this.
>
> --Justin
>
>
> On Jun 15, 2011, at 11:50 AM, Ben Pfaff wrote:
>
> > If the CA certificate changed and OVS added the new CA certificate, the
> > change was ineffective. Clearing the certificate store before adding the
> > new CA certificate fixes the problem.
> >
> > I don't know exactly why this fixes the problem, but in my testing it does.
> >
> > Bug #2921.
> > Reported-by: Dan Wendlandt <d...@nicira.com>
> > Reported-by: Pierre Ettori <pett...@nicira.com>
> > ---
> > lib/stream-ssl.c | 2 ++
> > 1 files changed, 2 insertions(+), 0 deletions(-)
> >
> > diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
> > index 22066e1..26646b4 100644
> > --- a/lib/stream-ssl.c
> > +++ b/lib/stream-ssl.c
> > @@ -412,6 +412,7 @@ do_ca_cert_bootstrap(struct stream *stream)
> > if (!cert) {
> > out_of_memory();
> > }
> > + SSL_CTX_set_cert_store(ctx, X509_STORE_new());
> > if (SSL_CTX_load_verify_locations(ctx, ca_cert.file_name, NULL) != 1) {
> > VLOG_ERR("SSL_CTX_load_verify_locations: %s",
> > ERR_error_string(ERR_get_error(), NULL));
> > @@ -1206,6 +1207,7 @@ stream_ssl_set_ca_cert_file__(const char *file_name,
> > bool bootstrap)
> >
> > /* Set up CAs for OpenSSL to trust in verifying the peer's
> > * certificate. */
> > + SSL_CTX_set_cert_store(ctx, X509_STORE_new());
> > if (SSL_CTX_load_verify_locations(ctx, file_name, NULL) != 1) {
> > VLOG_ERR("SSL_CTX_load_verify_locations: %s",
> > ERR_error_string(ERR_get_error(), NULL));
> > --
> > 1.7.4.4
> >
> > _______________________________________________
> > dev mailing list
> > dev@openvswitch.org
> > http://openvswitch.org/mailman/listinfo/dev
>
_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev
