@@ -1071,7 +1071,7 @@ stream_ssl_set_private_key_file(const char *file_name)
static void
stream_ssl_set_certificate_file__(const char *file_name)
{
- if (SSL_CTX_use_certificate_chain_file(ctx, file_name) == 1) {
+ if (SSL_CTX_use_certificate_file(ctx, file_name, SSL_FILETYPE_PEM) == 1) {
certificate.read = true;
} else {
VLOG_ERR("SSL_use_certificate_file: %s",
@@ -1334,3 +1334,30 @@ AT_CHECK([ovs-vsctl -t 5 --no-wait --db=ssl:127.0.0.1:$SSL_PORT --private-key=$P
OVSDB_SERVER_SHUTDOWN
AT_CLEANUP
+
+AT_SETUP([peer ca cert])
+AT_KEYWORDS([ovs-vsctl ssl])
+AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
+PKIDIR=`pwd`
+OVS_PKI="sh $abs_top_srcdir/utilities/ovs-pki.in --dir=$PKIDIR/pki --log=$PKIDIR/ovs-pki.log"
+AT_CHECK([$OVS_PKI -B 1024 init && $OVS_PKI -B 1024 req+sign vsctl switch && $OVS_PKI -B 1024 req+sign ovsdbserver controller], [0], [ignore], [ignore])
+
+dnl Create database.
+OVSDB_INIT([conf.db])
+AT_CHECK([ovsdb-server --detach --no-chdir --pidfile="`pwd`"/pid --private-key=$PKIDIR/ovsdbserver-privkey.pem --certificate=$PKIDIR/ovsdbserver-cert.pem --ca-cert=$PKIDIR/pki/switchca/cacert.pem --peer-ca-cert=$PKIDIR/pki/controllerca/cacert.pem --remote=pssl:0:127.0.0.1 --unixctl="`pwd`"/unixctl --log-file="`pwd`"/ovsdb-server.log conf.db], [0], [ignore], [ignore])
+on_exit "kill `cat pid`"
+SSL_PORT=`parse_listening_port < ovsdb-server.log`
+
+# During bootstrap, the connection gets torn down. So the o/p of ovs-vsctl is error.
+AT_CHECK([ovs-vsctl -t 5 --db=ssl:127.0.0.1:$SSL_PORT --private-key=$PKIDIR/vsctl-privkey.pem --certificate=$PKIDIR/vsctl-cert.pem --bootstrap-ca-cert=$PKIDIR/cacert.pem show], [1], [ignore], [ignore])
+
+# If the bootstrap was successful, the following file should exist.
+OVS_WAIT_UNTIL([test -e $PKIDIR/cacert.pem])
+
+# After bootstrap, the connection should be successful.
+AT_CHECK([ovs-vsctl -t 5 --no-wait --db=ssl:127.0.0.1:$SSL_PORT --private-key=$PKIDIR/vsctl-privkey.pem --certificate=$PKIDIR/vsctl-cert.pem --bootstrap-ca-cert=$PKIDIR/cacert.pem add-br br0], [0])
+AT_CHECK([ovs-vsctl -t 5 --no-wait --db=ssl:127.0.0.1:$SSL_PORT --private-key=$PKIDIR/vsctl-privkey.pem --certificate=$PKIDIR/vsctl-cert.pem --bootstrap-ca-cert=$PKIDIR/cacert.pem list-br], [0], [br0
+])
+
+OVSDB_SERVER_SHUTDOWN
+AT_CLEANUP
When --certificate option is provided, we currently use SSL_CTX_use_certificate_chain_file() function to add that certificate. If our single certificate file had multiple certificates (as a chain), all of them would get added and sent to the remote peer. But once you call SSL_CTX_use_certificate_chain_file(), any future calls to SSL_CTX_add_extra_chain_cert() (called when --peer-ca-cert option is used) had no effect. Since our man pages and INSTALL.SSL.md say that --certificate is used to specify one certificate and additional certificates are sent via --peer-ca-cert, this commit changes SSL_CTX_use_certificate_chain_file() use to SSL_CTX_use_certificate_file(). With this, additional certificates can now be added via --peer-ca-cert option. The test case added with this commit would fail without the above changes. Signed-off-by: Gurucharan Shetty <gshetty@nicira.com> --- lib/stream-ssl.c | 2 +- tests/ovs-vsctl.at | 27 +++++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-)