diff options
author | Justin Pettit <jpettit@nicira.com> | 2009-06-26 12:39:50 -0700 |
---|---|---|
committer | Justin Pettit <jpettit@nicira.com> | 2009-06-26 12:39:50 -0700 |
commit | 7e40e21d8fa139638240bf53b92fdf9843ce0b78 (patch) | |
tree | 24d68452c14d3134ac998512b3b509f89fef6066 /vswitchd | |
parent | 3dc6fca88bf43eceda6fe62c2f70eb5ec92ddd46 (diff) |
xenserver: Remove cacert when user reconfigures the controller
If a user moves from one controller to another, we did not remove the
cacert. This prevents the switch from connecting to the new controller.
To ease confusion, we now delete the cacert when the user changes or
removes the controller in xsconsole.
Note: This commit has a minor security issue, since we do not remove
trust for the old certificate until the switch is restarted. In
general, users should only be connected to trusted servers, so the
impact should be low. Fixes this would require larger changes to the
vconn-ssl code, which we don't want to do so late in the release cycle.
Bug #1457
Diffstat (limited to 'vswitchd')
-rw-r--r-- | vswitchd/bridge.c | 10 | ||||
-rw-r--r-- | vswitchd/mgmt.c | 12 |
2 files changed, 20 insertions, 2 deletions
diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c index 0236f14c..0d9e49b3 100644 --- a/vswitchd/bridge.c +++ b/vswitchd/bridge.c @@ -27,6 +27,7 @@ #include <strings.h> #include <sys/stat.h> #include <sys/socket.h> +#include <sys/types.h> #include <unistd.h> #include "bitmap.h" #include "cfg.h" @@ -323,6 +324,7 @@ bridge_configure_ssl(void) static char *private_key_file; static char *certificate_file; static char *cacert_file; + struct stat s; if (config_string_change("ssl.private-key", &private_key_file)) { vconn_ssl_set_private_key_file(private_key_file); @@ -332,7 +334,13 @@ bridge_configure_ssl(void) vconn_ssl_set_certificate_file(certificate_file); } - if (config_string_change("ssl.ca-cert", &cacert_file)) { + /* We assume that even if the filename hasn't changed, if the CA cert + * file has been removed, that we want to move back into + * boot-strapping mode. This opens a small security hole, because + * the old certificate will still be trusted until vSwitch is + * restarted. We may want to address this in vconn's SSL library. */ + if (config_string_change("ssl.ca-cert", &cacert_file) + || (stat(cacert_file, &s) && errno == ENOENT)) { vconn_ssl_set_ca_cert_file(cacert_file, cfg_get_bool(0, "ssl.bootstrap-ca-cert")); } diff --git a/vswitchd/mgmt.c b/vswitchd/mgmt.c index ce9d9f33..45c35802 100644 --- a/vswitchd/mgmt.c +++ b/vswitchd/mgmt.c @@ -19,6 +19,9 @@ #include <assert.h> #include <errno.h> #include <stdlib.h> +#include <sys/stat.h> +#include <sys/socket.h> +#include <sys/types.h> #include "bridge.h" #include "cfg.h" @@ -101,6 +104,7 @@ mgmt_configure_ssl(void) static char *private_key_file; static char *certificate_file; static char *cacert_file; + struct stat s; /* XXX SSL should be configurable separate from the bridges. * XXX should be possible to de-configure SSL. */ @@ -112,7 +116,13 @@ mgmt_configure_ssl(void) vconn_ssl_set_certificate_file(certificate_file); } - if (config_string_change("ssl.ca-cert", &cacert_file)) { + /* We assume that even if the filename hasn't changed, if the CA cert + * file has been removed, that we want to move back into + * boot-strapping mode. This opens a small security hole, because + * the old certificate will still be trusted until vSwitch is + * restarted. We may want to address this in vconn's SSL library. */ + if (config_string_change("ssl.ca-cert", &cacert_file) + || (stat(cacert_file, &s) && errno == ENOENT)) { vconn_ssl_set_ca_cert_file(cacert_file, cfg_get_bool(0, "ssl.bootstrap-ca-cert")); } |