From e6a8ca62a6ae32285b1c6a668f35159be72199d3 Mon Sep 17 00:00:00 2001
From: Ben Pfaff <blp@nicira.com>
Date: Wed, 15 Jun 2011 11:50:24 -0700
Subject: [PATCH] stream-ssl: Clear CAs for certificate verification before
 adding new ones.

If the CA certificate changed and OVS added the new CA certificate, the
change was ineffective.  Clearing the certificate store before adding the
new CA certificate fixes the problem.

I don't know exactly why this fixes the problem, but in my testing it does.

Bug #2921.
Reported-by: Dan Wendlandt <dan@nicira.com>
Reported-by: Pierre Ettori <pettori@nicira.com>
---
 lib/stream-ssl.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index 4d7c7c4d..e68cc72b 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -413,6 +413,7 @@ do_ca_cert_bootstrap(struct stream *stream)
     if (!cert) {
         out_of_memory();
     }
+    SSL_CTX_set_cert_store(ctx, X509_STORE_new());
     if (SSL_CTX_load_verify_locations(ctx, ca_cert.file_name, NULL) != 1) {
         VLOG_ERR("SSL_CTX_load_verify_locations: %s",
                  ERR_error_string(ERR_get_error(), NULL));
@@ -1215,6 +1216,7 @@ stream_ssl_set_ca_cert_file__(const char *file_name,
 
         /* Set up CAs for OpenSSL to trust in verifying the peer's
          * certificate. */
+        SSL_CTX_set_cert_store(ctx, X509_STORE_new());
         if (SSL_CTX_load_verify_locations(ctx, file_name, NULL) != 1) {
             VLOG_ERR("SSL_CTX_load_verify_locations: %s",
                      ERR_error_string(ERR_get_error(), NULL));
-- 
2.30.2