diff mbox

[ovs-dev,V2] bugfix of ovsdb-client connecting error when updating ca_crt.pem file many times

Message ID 621FAA8B3DA4E14193D6933FB72489BA5826759C@nkgeml511-mbx.china.huawei.com
State Accepted
Headers show

Commit Message

Liuyongqiang (A) Nov. 9, 2015, 2:37 a.m. UTC 
From 84cba1149085a9c61fe622fc649db0e058355334 Mon Sep 17 00:00:00 2001
From: YongQiangLiu <liu.liuyongqiang@huawei.com>
Date: Mon, 9 Nov 2015 09:49:47 +0800
Subject: [PATCH] this patch fixed the bug of ovsdb-client connecting failed
 when user update ca crt file upto 649 times

Signed-off-by: YongQiangLiu <liu.liuyongqiang@huawei.com>
---
 lib/stream-ssl.c | 25 ++++++-------------------
 1 file changed, 6 insertions(+), 19 deletions(-)

Comments

Ben Pfaff Nov. 25, 2015, 4:09 a.m. UTC | #1 
On Mon, Nov 09, 2015 at 02:37:40AM +0000, Liuyongqiang (A) wrote:
> From 84cba1149085a9c61fe622fc649db0e058355334 Mon Sep 17 00:00:00 2001
> From: YongQiangLiu <liu.liuyongqiang@huawei.com>
> Date: Mon, 9 Nov 2015 09:49:47 +0800
> Subject: [PATCH] this patch fixed the bug of ovsdb-client connecting failed
>  when user update ca crt file upto 649 times
> 
> Signed-off-by: YongQiangLiu <liu.liuyongqiang@huawei.com>

Applied to master, thanks.
diff mbox

Patch

diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index 564c94c..a1ec63f 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -1242,9 +1242,8 @@  static void
 stream_ssl_set_ca_cert_file__(const char *file_name,
                               bool bootstrap, bool force)
 {
-    X509 **certs;
-    size_t n_certs;
     struct stat s;
+    STACK_OF(X509_NAME) *cert_names = NULL;
 
     if (!update_ssl_config(&ca_cert, file_name) && !force) {
         return;
@@ -1256,23 +1255,9 @@  stream_ssl_set_ca_cert_file__(const char *file_name,
                   "(this is a security risk)");
     } else if (bootstrap && stat(file_name, &s) && errno == ENOENT) {
         bootstrap_ca_cert = true;
-    } else if (!read_cert_file(file_name, &certs, &n_certs)) {
-        size_t i;
-
-        /* Set up list of CAs that the server will accept from the client. */
-        for (i = 0; i < n_certs; i++) {
-            /* SSL_CTX_add_client_CA makes a copy of the relevant data. */
-            if (SSL_CTX_add_client_CA(ctx, certs[i]) != 1) {
-                VLOG_ERR("failed to add client certificate %"PRIuSIZE" from %s: %s",
-                         i, file_name,
-                         ERR_error_string(ERR_get_error(), NULL));
-            } else {
-                log_ca_cert(file_name, certs[i]);
-            }
-            X509_free(certs[i]);
-        }
-        free(certs);
+    } else if ((cert_names = SSL_load_client_CA_file(file_name) ) != NULL) {
 
+        SSL_CTX_set_client_CA_list(ctx, cert_names);
         /* Set up CAs for OpenSSL to trust in verifying the peer's
          * certificate. */
         SSL_CTX_set_cert_store(ctx, X509_STORE_new());
@@ -1281,8 +1266,10 @@  stream_ssl_set_ca_cert_file__(const char *file_name,
                      ERR_error_string(ERR_get_error(), NULL));
             return;
         }
-
         bootstrap_ca_cert = false;
+    } else if (cert_names == NULL) {
+        VLOG_ERR("failed to load client certificates  from %s: %s", 
+                 file_name, ERR_error_string(ERR_get_error(), NULL));
     }
     ca_cert.read = true;
 }