If the CA certificate changed and OVS added the new CA certificate, the change was ineffective. Clearing the certificate store before adding the new CA certificate fixes the problem.
I don't know exactly why this fixes the problem, but in my testing it does. Bug #2921. Reported-by: Dan Wendlandt <[email protected]> Reported-by: Pierre Ettori <[email protected]> --- lib/stream-ssl.c | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index 22066e1..26646b4 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -412,6 +412,7 @@ do_ca_cert_bootstrap(struct stream *stream) if (!cert) { out_of_memory(); } + SSL_CTX_set_cert_store(ctx, X509_STORE_new()); if (SSL_CTX_load_verify_locations(ctx, ca_cert.file_name, NULL) != 1) { VLOG_ERR("SSL_CTX_load_verify_locations: %s", ERR_error_string(ERR_get_error(), NULL)); @@ -1206,6 +1207,7 @@ stream_ssl_set_ca_cert_file__(const char *file_name, bool bootstrap) /* Set up CAs for OpenSSL to trust in verifying the peer's * certificate. */ + SSL_CTX_set_cert_store(ctx, X509_STORE_new()); if (SSL_CTX_load_verify_locations(ctx, file_name, NULL) != 1) { VLOG_ERR("SSL_CTX_load_verify_locations: %s", ERR_error_string(ERR_get_error(), NULL)); -- 1.7.4.4 _______________________________________________ dev mailing list [email protected] http://openvswitch.org/mailman/listinfo/dev
