From patchwork Wed Sep 2 20:02:39 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gurucharan Shetty X-Patchwork-Id: 513649 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from archives.nicira.com (unknown [IPv6:2600:3c00::f03c:91ff:fe6e:bdf7]) by ozlabs.org (Postfix) with ESMTP id 070151401E7 for ; Thu, 3 Sep 2015 06:03:52 +1000 (AEST) Received: from archives.nicira.com (localhost [127.0.0.1]) by archives.nicira.com (Postfix) with ESMTP id 5FF2B10888; Wed, 2 Sep 2015 13:03:47 -0700 (PDT) X-Original-To: dev@openvswitch.org Delivered-To: dev@openvswitch.org Received: from mx3v1.cudamail.com (mx3.cudamail.com [64.34.241.5]) by archives.nicira.com (Postfix) with ESMTPS id 8214E10712 for ; Wed, 2 Sep 2015 13:03:45 -0700 (PDT) Received: from bar3.cudamail.com (bar1 [192.168.15.1]) by mx3v1.cudamail.com (Postfix) with ESMTP id 95460619290 for ; Wed, 2 Sep 2015 14:03:43 -0600 (MDT) X-ASG-Debug-ID: 1441224221-03dd7b127c451c40001-byXFYA Received: from mx3-pf2.cudamail.com ([192.168.14.1]) by bar3.cudamail.com with ESMTP id 4llideAzZmtnYmuu (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Wed, 02 Sep 2015 14:03:41 -0600 (MDT) X-Barracuda-Envelope-From: shettyg@nicira.com X-Barracuda-RBL-Trusted-Forwarder: 192.168.14.1 Received: from unknown (HELO mail-pa0-f53.google.com) (209.85.220.53) by mx3-pf2.cudamail.com with ESMTPS (RC4-SHA encrypted); 2 Sep 2015 20:03:40 -0000 Received-SPF: unknown (mx3-pf2.cudamail.com: Multiple SPF records returned) X-Barracuda-RBL-Trusted-Forwarder: 209.85.220.53 Received: by pacfv12 with SMTP id fv12so21849846pac.2 for ; Wed, 02 Sep 2015 13:03:40 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=z2wJfOCYXwFhuKKtWUX5kuopIbkh2W2n+wj6qfY9/YM=; b=KUqWhjP/nU4/NQUPGb7UeuGClNzvcCuOPm9IAbQ4NcZ1/x+uEq3u65AOvKx8HpKFtL Q1q02sdUqccD0TUWRI2piKyFbg4YmiPSZ5rllMb6kpRFRnAe81DaNQ+KwoERziwUwjDw QfRZpcDV6XcNmXrIUVQFf9EeMwY8TREz7UTkpefOTyV1F50S6io7zgLOFOMMWtPKtDH7 z+YyV+DbCDlheXgtO8LPyB5ZOFCN5I9f0FW4r7t4NuhOWzoWqi97312kc/dJueHyLm4N zJ1dz35faEW0WfiXrkTw2UIUMosNXPVhNNxFqK4VYHmUun0XiMdzsPy1jK1Qx4u56eL5 +G/g== X-Gm-Message-State: ALoCoQlGKwTG80muki08uhL2pDyCKCSlJbX8aDaMa/tzET0pF63ahKjTkRC/lkBmnSSzCaikPJut X-Received: by 10.68.243.4 with SMTP id wu4mr44855238pbc.142.1441224220550; Wed, 02 Sep 2015 13:03:40 -0700 (PDT) Received: from ubuntu-test.eng.vmware.com ([208.91.1.34]) by smtp.gmail.com with ESMTPSA id hm7sm22627132pdb.24.2015.09.02.13.03.39 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 02 Sep 2015 13:03:40 -0700 (PDT) X-CudaMail-Envelope-Sender: shettyg@nicira.com X-Barracuda-Apparent-Source-IP: 208.91.1.34 From: Gurucharan Shetty X-Google-Original-From: Gurucharan Shetty To: dev@openvswitch.org X-CudaMail-Whitelist-To: dev@openvswitch.org X-CudaMail-MID: CM-V2-901049209 X-CudaMail-DTE: 090215 X-CudaMail-Originating-IP: 209.85.220.53 Date: Wed, 2 Sep 2015 13:02:39 -0700 X-ASG-Orig-Subj: [##CM-V2-901049209##][PATCH 2/2] stream-ssl: Get peer-ca-cert functionality to work. Message-Id: <1441224160-11790-2-git-send-email-gshetty@nicira.com> X-Mailer: git-send-email 1.7.9.5 In-Reply-To: <1441224160-11790-1-git-send-email-gshetty@nicira.com> References: <1441224160-11790-1-git-send-email-gshetty@nicira.com> X-Barracuda-Connect: UNKNOWN[192.168.14.1] X-Barracuda-Start-Time: 1441224221 X-Barracuda-Encrypted: DHE-RSA-AES256-SHA X-Barracuda-URL: https://web.cudamail.com:443/cgi-mod/mark.cgi X-ASG-Whitelist: Header =?UTF-8?B?eFwtY3VkYW1haWxcLXdoaXRlbGlzdFwtdG8=?= X-Barracuda-BRTS-Status: 1 X-Virus-Scanned: by bsmtpd at cudamail.com Cc: Gurucharan Shetty Subject: [ovs-dev] [PATCH 2/2] stream-ssl: Get peer-ca-cert functionality to work. X-BeenThere: dev@openvswitch.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: dev-bounces@openvswitch.org Sender: "dev" When --certificate option is provided, we currently use SSL_CTX_use_certificate_chain_file() function to add that certificate. If our single certificate file had multiple certificates (as a chain), all of them would get added and sent to the remote peer. But once you call SSL_CTX_use_certificate_chain_file(), any future calls to SSL_CTX_add_extra_chain_cert() (called when --peer-ca-cert option is used) had no effect. Since our man pages and INSTALL.SSL.md say that --certificate is used to specify one certificate and additional certificates are sent via --peer-ca-cert, this commit changes SSL_CTX_use_certificate_chain_file() use to SSL_CTX_use_certificate_file(). With this, additional certificates can now be added via --peer-ca-cert option. The test case added with this commit would fail without the above changes. Signed-off-by: Gurucharan Shetty --- lib/stream-ssl.c | 2 +- tests/ovs-vsctl.at | 27 +++++++++++++++++++++++++++ 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index 8b063ba..564c94c 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -1071,7 +1071,7 @@ stream_ssl_set_private_key_file(const char *file_name) static void stream_ssl_set_certificate_file__(const char *file_name) { - if (SSL_CTX_use_certificate_chain_file(ctx, file_name) == 1) { + if (SSL_CTX_use_certificate_file(ctx, file_name, SSL_FILETYPE_PEM) == 1) { certificate.read = true; } else { VLOG_ERR("SSL_use_certificate_file: %s", diff --git a/tests/ovs-vsctl.at b/tests/ovs-vsctl.at index cbfa6c2..1ec06e7 100644 --- a/tests/ovs-vsctl.at +++ b/tests/ovs-vsctl.at @@ -1336,3 +1336,30 @@ AT_CHECK([ovs-vsctl -t 5 --db=ssl:127.0.0.1:$SSL_PORT --private-key=$PKIDIR/vsct OVSDB_SERVER_SHUTDOWN AT_CLEANUP + +AT_SETUP([peer ca cert]) +AT_KEYWORDS([ovs-vsctl ssl]) +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) +PKIDIR=`command pwd` +OVS_PKI="sh $abs_top_srcdir/utilities/ovs-pki.in --dir=$PKIDIR/pki --log=$PKIDIR/ovs-pki.log" +$OVS_PKI -B 1024 init && \ +$OVS_PKI -B 1024 req+sign vsctl switch && \ +$OVS_PKI -B 1024 req+sign ovsdbserver controller + +dnl Create database. +OVSDB_INIT([conf.db]) +AT_CHECK([ovsdb-server --detach --no-chdir --pidfile="`pwd`"/pid --private-key=$PKIDIR/ovsdbserver-privkey.pem --certificate=$PKIDIR/ovsdbserver-cert.pem --ca-cert=$PKIDIR/pki/switchca/cacert.pem --peer-ca-cert=$PKIDIR/pki/controllerca/cacert.pem --remote=pssl:0:127.0.0.1 --unixctl="`pwd`"/unixctl --log-file="`pwd`"/ovsdb-server.log conf.db], [0], [ignore], [ignore]) +ON_EXIT_UNQUOTED([kill `cat pid`]) +SSL_PORT=`parse_listening_port < ovsdb-server.log` + +# During bootstrap, the connection gets torn down. So the o/p of ovs-vsctl is error. +AT_CHECK([ovs-vsctl -t 5 --db=ssl:127.0.0.1:$SSL_PORT --private-key=$PKIDIR/vsctl-privkey.pem --certificate=$PKIDIR/vsctl-cert.pem --bootstrap-ca-cert=$PKIDIR/cacert.pem show], [1], [ignore], [ignore]) + +# If the bootstrap was successful, the following file should exist. +OVS_WAIT_UNTIL([test -e $PKIDIR/cacert.pem]) + +# After bootstrap, the connection should be successful. +AT_CHECK([ovs-vsctl -t 5 --db=ssl:127.0.0.1:$SSL_PORT --private-key=$PKIDIR/vsctl-privkey.pem --certificate=$PKIDIR/vsctl-cert.pem --bootstrap-ca-cert=$PKIDIR/cacert.pem show], [0], [ignore], [ignore]) + +OVSDB_SERVER_SHUTDOWN +AT_CLEANUP