From: Ben Pfaff Date: Wed, 15 Jun 2011 18:50:24 +0000 (-0700) Subject: stream-ssl: Clear CAs for certificate verification before adding new ones. X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e6a8ca62a6ae32285b1c6a668f35159be72199d3;p=openvswitch stream-ssl: Clear CAs for certificate verification before adding new ones. If the CA certificate changed and OVS added the new CA certificate, the change was ineffective. Clearing the certificate store before adding the new CA certificate fixes the problem. I don't know exactly why this fixes the problem, but in my testing it does. Bug #2921. Reported-by: Dan Wendlandt Reported-by: Pierre Ettori --- diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index 4d7c7c4d..e68cc72b 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -413,6 +413,7 @@ do_ca_cert_bootstrap(struct stream *stream) if (!cert) { out_of_memory(); } + SSL_CTX_set_cert_store(ctx, X509_STORE_new()); if (SSL_CTX_load_verify_locations(ctx, ca_cert.file_name, NULL) != 1) { VLOG_ERR("SSL_CTX_load_verify_locations: %s", ERR_error_string(ERR_get_error(), NULL)); @@ -1215,6 +1216,7 @@ stream_ssl_set_ca_cert_file__(const char *file_name, /* Set up CAs for OpenSSL to trust in verifying the peer's * certificate. */ + SSL_CTX_set_cert_store(ctx, X509_STORE_new()); if (SSL_CTX_load_verify_locations(ctx, file_name, NULL) != 1) { VLOG_ERR("SSL_CTX_load_verify_locations: %s", ERR_error_string(ERR_get_error(), NULL));