stream-ssl: Clear CAs for certificate verification before adding new ones.
authorBen Pfaff <blp@nicira.com>
Wed, 15 Jun 2011 18:50:24 +0000 (11:50 -0700)
committerBen Pfaff <blp@nicira.com>
Fri, 17 Jun 2011 17:50:23 +0000 (10:50 -0700)
If the CA certificate changed and OVS added the new CA certificate, the
change was ineffective.  Clearing the certificate store before adding the
new CA certificate fixes the problem.

I don't know exactly why this fixes the problem, but in my testing it does.

Bug #2921.
Reported-by: Dan Wendlandt <dan@nicira.com>
Reported-by: Pierre Ettori <pettori@nicira.com>
lib/stream-ssl.c

index 4d7c7c4dd15395dfe214091403be9555667e4587..e68cc72bc099b2e3780e363b3ab4a86d7bfe2c51 100644 (file)
@@ -413,6 +413,7 @@ do_ca_cert_bootstrap(struct stream *stream)
     if (!cert) {
         out_of_memory();
     }
+    SSL_CTX_set_cert_store(ctx, X509_STORE_new());
     if (SSL_CTX_load_verify_locations(ctx, ca_cert.file_name, NULL) != 1) {
         VLOG_ERR("SSL_CTX_load_verify_locations: %s",
                  ERR_error_string(ERR_get_error(), NULL));
@@ -1215,6 +1216,7 @@ stream_ssl_set_ca_cert_file__(const char *file_name,
 
         /* Set up CAs for OpenSSL to trust in verifying the peer's
          * certificate. */
+        SSL_CTX_set_cert_store(ctx, X509_STORE_new());
         if (SSL_CTX_load_verify_locations(ctx, file_name, NULL) != 1) {
             VLOG_ERR("SSL_CTX_load_verify_locations: %s",
                      ERR_error_string(ERR_get_error(), NULL));