diff options
author | Ben Pfaff <blp@nicira.com> | 2010-08-05 09:24:00 -0700 |
---|---|---|
committer | Ben Pfaff <blp@nicira.com> | 2010-08-05 09:24:00 -0700 |
commit | 6f1e91b1d7c058d701145080c344bbc531b394ed (patch) | |
tree | e5fa86b7ff37d384b99399fe1d9ba9a409d541a0 /ovsdb | |
parent | 55574bb0d21541c13fe67545a74448b36063e461 (diff) |
stream-ssl: Make changing keys and certificate at runtime reliable.
OpenSSL is picky about the order in which keys and certificates are
changed: you have to change the certificate first, then the key. It
doesn't document this, but deep in the source code, in a function that sets
a new certificate, it has this comment:
/* don't fail for a cert/key mismatch, just free
* current private key (when switching to a different
* cert & key, first this function should be used,
* then ssl_set_pkey */
Brilliant, guys, thanks a lot.
Bug #2921.
Diffstat (limited to 'ovsdb')
-rw-r--r-- | ovsdb/ovsdb-server.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/ovsdb/ovsdb-server.c b/ovsdb/ovsdb-server.c index 4ca9c2d1..27db0702 100644 --- a/ovsdb/ovsdb-server.c +++ b/ovsdb/ovsdb-server.c @@ -283,8 +283,8 @@ reconfigure_from_db(struct ovsdb_jsonrpc_server *jsonrpc, #if HAVE_OPENSSL /* Configure SSL. */ - stream_ssl_set_private_key_file(query_db_string(db, private_key_file)); - stream_ssl_set_certificate_file(query_db_string(db, certificate_file)); + stream_ssl_set_key_and_cert(query_db_string(db, private_key_file), + query_db_string(db, certificate_file)); stream_ssl_set_ca_cert_file(query_db_string(db, ca_cert_file), bootstrap_ca_cert); #endif |