xenserver: Remove cacert when user reconfigures the controller

If a user moves from one controller to another, we did not remove the cacert. This prevents the switch from connecting to the new controller. To ease confusion, we now delete the cacert when the user changes or removes the controller in xsconsole. Note: This commit has a minor security issue, since we do not remove trust for the old certificate until the switch is restarted. In general, users should only be connected to trusted servers, so the impact should be low. Fixes this would require larger changes to the vconn-ssl code, which we don't want to do so late in the release cycle. Bug #1457
author: Justin Pettit <jpettit@nicira.com> 2009-06-26 12:39:50 -0700
committer: Justin Pettit <jpettit@nicira.com> 2009-06-26 12:39:50 -0700
commit: 7e40e21d8fa139638240bf53b92fdf9843ce0b78 (patch)
tree: 24d68452c14d3134ac998512b3b509f89fef6066
parent: 3dc6fca88bf43eceda6fe62c2f70eb5ec92ddd46 (diff)
3 files changed, 32 insertions, 2 deletions
diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c
index 0236f14cb..0d9e49b30 100644
--- a/vswitchd/bridge.c
+++ b/vswitchd/bridge.c
@@ -27,6 +27,7 @@
 #include <strings.h>
 #include <sys/stat.h>
 #include <sys/socket.h>
+#include <sys/types.h>
 #include <unistd.h>
 #include "bitmap.h"
 #include "cfg.h"
@@ -323,6 +324,7 @@ bridge_configure_ssl(void)
     static char *private_key_file;
     static char *certificate_file;
     static char *cacert_file;
+    struct stat s;
 
     if (config_string_change("ssl.private-key", &private_key_file)) {
         vconn_ssl_set_private_key_file(private_key_file);
@@ -332,7 +334,13 @@ bridge_configure_ssl(void)
         vconn_ssl_set_certificate_file(certificate_file);
     }
 
-    if (config_string_change("ssl.ca-cert", &cacert_file)) {
+    /* We assume that even if the filename hasn't changed, if the CA cert 
+     * file has been removed, that we want to move back into
+     * boot-strapping mode.  This opens a small security hole, because
+     * the old certificate will still be trusted until vSwitch is
+     * restarted.  We may want to address this in vconn's SSL library. */
+    if (config_string_change("ssl.ca-cert", &cacert_file)
+            || (stat(cacert_file, &s) && errno == ENOENT)) {
         vconn_ssl_set_ca_cert_file(cacert_file,
                                    cfg_get_bool(0, "ssl.bootstrap-ca-cert"));
     }
diff --git a/vswitchd/mgmt.c b/vswitchd/mgmt.c
index ce9d9f334..45c358024 100644
--- a/vswitchd/mgmt.c
+++ b/vswitchd/mgmt.c
@@ -19,6 +19,9 @@
 #include <assert.h>
 #include <errno.h>
 #include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/socket.h>
+#include <sys/types.h>
 
 #include "bridge.h"
 #include "cfg.h"
@@ -101,6 +104,7 @@ mgmt_configure_ssl(void)
     static char *private_key_file;
     static char *certificate_file;
     static char *cacert_file;
+    struct stat s;
 
     /* XXX SSL should be configurable separate from the bridges.
      * XXX should be possible to de-configure SSL. */
@@ -112,7 +116,13 @@ mgmt_configure_ssl(void)
         vconn_ssl_set_certificate_file(certificate_file);
     }
 
-    if (config_string_change("ssl.ca-cert", &cacert_file)) {
+    /* We assume that even if the filename hasn't changed, if the CA cert 
+     * file has been removed, that we want to move back into
+     * boot-strapping mode.  This opens a small security hole, because
+     * the old certificate will still be trusted until vSwitch is
+     * restarted.  We may want to address this in vconn's SSL library. */
+    if (config_string_change("ssl.ca-cert", &cacert_file) 
+            || (stat(cacert_file, &s) && errno == ENOENT)) {
         vconn_ssl_set_ca_cert_file(cacert_file,
                 cfg_get_bool(0, "ssl.bootstrap-ca-cert"));
     }
diff --git a/xenserver/etc_xapi.d_plugins_vswitch-cfg-update b/xenserver/etc_xapi.d_plugins_vswitch-cfg-update
index ef4ce782e..ce407ad1b 100755
--- a/xenserver/etc_xapi.d_plugins_vswitch-cfg-update
+++ b/xenserver/etc_xapi.d_plugins_vswitch-cfg-update
@@ -27,10 +27,20 @@ logging.basicConfig(filename="/var/log/vswitch-cfg-update.log", level=logging.DE
 
 import XenAPIPlugin
 import XenAPI
+import os
 import subprocess
 
 cfg_mod="/root/vswitch/bin/ovs-cfg-mod"
 vswitchd_cfg_filename="/etc/ovs-vswitchd.conf"
+cacert_filename="/etc/ovs-vswitchd.cacert"
+
+# Delete the CA certificate, so that we go back to boot-strapping mode
+def delete_cacert():
+    try:
+        os.remove(cacert_filename)
+    except OSError:
+        # Ignore error if file doesn't exist
+        pass
 
 def update(session, args):
     pools = session.xenapi.pool.get_all()
@@ -49,6 +59,7 @@ def update(session, args):
     currentController = vswitchCurrentController()
     if controller == "" and currentController != "":
         log.debug("Removing controller configuration.")
+        delete_cacert()
         removeControllerCfg()
         return "Successfully removed controller config"
     elif controller != currentController:
@@ -56,6 +67,7 @@ def update(session, args):
             log.debug("Setting controller to: %s" % (controller))
         else:
             log.debug("Changing controller from %s to %s" % (currentController, controller))
+        delete_cacert()
         setControllerCfg(controller)
         return "Successfully set controller to " + controller
     else:
author	Justin Pettit <jpettit@nicira.com>	2009-06-26 12:39:50 -0700
committer	Justin Pettit <jpettit@nicira.com>	2009-06-26 12:39:50 -0700
commit	7e40e21d8fa139638240bf53b92fdf9843ce0b78 (patch)
tree	24d68452c14d3134ac998512b3b509f89fef6066
parent	3dc6fca88bf43eceda6fe62c2f70eb5ec92ddd46 (diff)