From d54ff9987c3bbd9989ee7fef574bdab3207aca60 Mon Sep 17 00:00:00 2001 From: Ben Pfaff Date: Thu, 5 Aug 2010 09:58:58 -0700 Subject: [PATCH] vswitchd: Refresh SSL keys and certificates more frequently. Until now, the ovs-vswitchd main loop has refreshed keys and certificates from their files only when the database changes. This works fine if new keys and certificates are installed with new file names, because the update to the database to point to the new files will cause them to be read. But if the new keys and certificates are copied over the existing files, then the delay until they are read is indefinite. This commit fixes the problem by changing the SSL configuration so that it is rechecked on every trip through the ovs-vswitchd main loop. Bug #2921. --- vswitchd/bridge.c | 37 ++++++++++++++++++------------------- 1 file changed, 18 insertions(+), 19 deletions(-) diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c index 0397e0a2..7174f2c8 100644 --- a/vswitchd/bridge.c +++ b/vswitchd/bridge.c @@ -344,18 +344,6 @@ bridge_configure_once(const struct ovsrec_open_vswitch *cfg) svec_destroy(&dpif_types); } -#ifdef HAVE_OPENSSL -static void -bridge_configure_ssl(const struct ovsrec_ssl *ssl) -{ - /* XXX SSL should be configurable on a per-bridge basis. */ - if (ssl) { - stream_ssl_set_key_and_cert(ssl->private_key, ssl->certificate); - stream_ssl_set_ca_cert_file(ssl->ca_cert, ssl->bootstrap_ca_cert); - } -} -#endif - /* Attempt to create the network device 'iface_name' through the netdev * library. */ static int @@ -595,11 +583,6 @@ bridge_reconfigure(const struct ovsrec_open_vswitch *ovs_cfg) shash_destroy(&old_br); shash_destroy(&new_br); -#ifdef HAVE_OPENSSL - /* Configure SSL. */ - bridge_configure_ssl(ovs_cfg->ssl); -#endif - /* Reconfigure all bridges. */ LIST_FOR_EACH (br, struct bridge, node, &all_bridges) { bridge_reconfigure_one(br); @@ -1105,7 +1088,10 @@ iface_refresh_stats(struct iface *iface) void bridge_run(void) { + const struct ovsrec_open_vswitch *cfg; + bool datapath_destroyed; + bool database_changed; struct bridge *br; /* Let each bridge do the work that it needs to do. */ @@ -1121,8 +1107,9 @@ bridge_run(void) } /* (Re)configure if necessary. */ - if (ovsdb_idl_run(idl) || datapath_destroyed) { - const struct ovsrec_open_vswitch *cfg = ovsrec_open_vswitch_first(idl); + database_changed = ovsdb_idl_run(idl); + cfg = ovsrec_open_vswitch_first(idl); + if (database_changed || datapath_destroyed) { if (cfg) { struct ovsdb_idl_txn *txn = ovsdb_idl_txn_create(idl); @@ -1141,6 +1128,18 @@ bridge_run(void) } } +#ifdef HAVE_OPENSSL + /* Re-configure SSL. We do this on every trip through the main loop, + * instead of just when the database changes, because the contents of the + * key and certificate files can change without the database changing. */ + if (cfg && cfg->ssl) { + const struct ovsrec_ssl *ssl = cfg->ssl; + + stream_ssl_set_key_and_cert(ssl->private_key, ssl->certificate); + stream_ssl_set_ca_cert_file(ssl->ca_cert, ssl->bootstrap_ca_cert); + } +#endif + /* Refresh interface stats if necessary. */ if (time_msec() >= iface_stats_timer) { struct ovsdb_idl_txn *txn; -- 2.30.2