From: Ben Pfaff Date: Wed, 23 Jul 2008 21:53:06 +0000 (-0700) Subject: Only generate private key and certificate request if ssl enabled. X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d72616d5440c2e7f2f5b6a660d10280fd05b8baa;p=openvswitch Only generate private key and certificate request if ssl enabled. Generating them unconditionally caused a problem with the init script: the script required there to be a certificate for the private key if the private key existed, but we do want to allow TCP-only configurations and always having a private key prevented that. Also, give the user advice on how to deal with this problem when it arises in the init script. --- diff --git a/debian/ofp-switch-setup b/debian/ofp-switch-setup index 74f3f87d..275ddfca 100755 --- a/debian/ofp-switch-setup +++ b/debian/ofp-switch-setup @@ -61,21 +61,7 @@ if (-e $default) { } my $cacert_preverified = -e $cacert_file; - -if (! -e $privkey_file) { - my $old_umask = umask(077); - run_cmd("ofp-pki req $etc/of0 >&2 2>/dev/null"); - chmod(0644, $req_file) or die "$req_file: chmod: $!\n"; - umask($old_umask); -} - my ($req, $req_fingerprint); -if (! -e $cert_file) { - open(REQ, '<', $req_file) or die "$req_file: open: $!\n"; - $req = join('', ); - close(REQ); - $req_fingerprint = sha1_hex($req); -} my %options; @@ -202,6 +188,24 @@ my (@states) = db_go(); } }, + sub { + return 'skip' if !ssl_enabled(); + + if (! -e $privkey_file) { + my $old_umask = umask(077); + run_cmd("ofp-pki req $etc/of0 >&2 2>/dev/null"); + chmod(0644, $req_file) or die "$req_file: chmod: $!\n"; + umask($old_umask); + } + + if (! -e $cert_file) { + open(REQ, '<', $req_file) or die "$req_file: open: $!\n"; + $req = join('', ); + close(REQ); + $req_fingerprint = sha1_hex($req); + } + return 'skip'; + }, sub { return 'skip' if !ssl_enabled(); return 'skip' if -e $cacert_file && -e $cert_file; diff --git a/debian/openflow-switch.init b/debian/openflow-switch.init index 74412d90..74ec2699 100755 --- a/debian/openflow-switch.init +++ b/debian/openflow-switch.init @@ -120,6 +120,9 @@ configure_ssl() { echo "$CACERT: CA certificate missing" >&2 fi echo "Run ofp-switch-setup or edit /etc/default/openflow-switch to configure" >&2 + if test "$MODE" = discovery; then + echo "You may also delete or rename $PRIVKEY to disable SSL requirement" >&2 + fi exit 1 fi SSL_OPTS="--private-key=$PRIVKEY --certificate=$CERT --ca-cert=$CACERT"