diff options
| author | Ben Pfaff <blp@nicira.com> | 2011-05-05 10:59:50 -0700 |
|---|---|---|
| committer | Ben Pfaff <blp@nicira.com> | 2011-05-24 11:26:00 -0700 |
| commit | f14848742aca978783cc7953dc3949877ca25374 (patch) | |
| tree | 053942852fb5ffc609c56281d6880e8a02e862d1 /lib/stream-ssl.c | |
| parent | 0ab6decf2ce8bae6290967b6f0a3252dc86c4c55 (diff) | |
stream-ssl: Force CA cert file to be read when it appears during bootstrap.
A user report shows the message "reading CA cert
/etc/openvswitch/vswitchd.cacert created by another process" appearing
hundreds of times over a long period of time in the log. The only way I
can see that this would happen is if update_ssl_config() returned false,
indicating that the CA cert does not need to be re-read because it has not
changed. This commit should prevent that from happening.
We don't want to simply skip calling update_ssl_config() in this case,
because then the next call to stream_ssl_set_ca_cert_file() would usually
re-read the CA certificate, which is a waste of time.
Also, we might as well rate-limit the message.
NICS-9.
Diffstat (limited to 'lib/stream-ssl.c')
| -rw-r--r-- | lib/stream-ssl.c | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index 02ce7f56..6509b7ee 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -196,9 +196,10 @@ static int interpret_ssl_error(const char *function, int ret, int error, static DH *tmp_dh_callback(SSL *ssl, int is_export OVS_UNUSED, int keylength); static void log_ca_cert(const char *file_name, X509 *cert); static void stream_ssl_set_ca_cert_file__(const char *file_name, - bool bootstrap); + bool bootstrap, bool force); static void ssl_protocol_cb(int write_p, int version, int content_type, const void *, size_t, SSL *, void *sslv_); +static bool update_ssl_config(struct ssl_config_file *, const char *file_name); static short int want_to_poll_events(int want) @@ -385,9 +386,9 @@ do_ca_cert_bootstrap(struct stream *stream) fd = open(ca_cert.file_name, O_CREAT | O_EXCL | O_WRONLY, 0444); if (fd < 0) { if (errno == EEXIST) { - VLOG_INFO("reading CA cert %s created by another process", - ca_cert.file_name); - stream_ssl_set_ca_cert_file(ca_cert.file_name, true); + VLOG_INFO_RL(&rl, "reading CA cert %s created by another process", + ca_cert.file_name); + stream_ssl_set_ca_cert_file__(ca_cert.file_name, true, true); return EPROTO; } else { VLOG_ERR("could not bootstrap CA cert: creating %s failed: %s", @@ -1279,12 +1280,17 @@ log_ca_cert(const char *file_name, X509 *cert) } static void -stream_ssl_set_ca_cert_file__(const char *file_name, bool bootstrap) +stream_ssl_set_ca_cert_file__(const char *file_name, + bool bootstrap, bool force) { X509 **certs; size_t n_certs; struct stat s; + if (!update_ssl_config(&ca_cert, file_name) && !force) { + return; + } + if (!strcmp(file_name, "none")) { verify_peer_cert = false; VLOG_WARN("Peer certificate validation disabled " @@ -1329,11 +1335,7 @@ stream_ssl_set_ca_cert_file__(const char *file_name, bool bootstrap) void stream_ssl_set_ca_cert_file(const char *file_name, bool bootstrap) { - if (!update_ssl_config(&ca_cert, file_name)) { - return; - } - - stream_ssl_set_ca_cert_file__(file_name, bootstrap); + stream_ssl_set_ca_cert_file__(file_name, bootstrap, false); } /* SSL protocol logging. */ |