[ovs-dev] [PATCH V2] bugfix of ovsdb-client connecting error when updating ca_crt.pem file many times

[Liuyongqiang (A)]

From 84cba1149085a9c61fe622fc649db0e058355334 Mon Sep 17 00:00:00 2001
From: YongQiangLiu <liu.liuyongqi...@huawei.com>
Date: Mon, 9 Nov 2015 09:49:47 +0800
Subject: [PATCH] this patch fixed the bug of ovsdb-client connecting failed
 when user update ca crt file upto 649 times

Signed-off-by: YongQiangLiu <liu.liuyongqi...@huawei.com>
---
 lib/stream-ssl.c | 25 ++++++-------------------
 1 file changed, 6 insertions(+), 19 deletions(-)

diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index 564c94c..a1ec63f 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -1242,9 +1242,8 @@ static void
 stream_ssl_set_ca_cert_file__(const char *file_name,
                               bool bootstrap, bool force)
 {
-    X509 **certs;
-    size_t n_certs;
     struct stat s;
+    STACK_OF(X509_NAME) *cert_names = NULL;
 
     if (!update_ssl_config(&ca_cert, file_name) && !force) {
         return;
@@ -1256,23 +1255,9 @@ stream_ssl_set_ca_cert_file__(const char *file_name,
                   "(this is a security risk)");
     } else if (bootstrap && stat(file_name, &s) && errno == ENOENT) {
         bootstrap_ca_cert = true;
-    } else if (!read_cert_file(file_name, &certs, &n_certs)) {
-        size_t i;
-
-        /* Set up list of CAs that the server will accept from the client. */
-        for (i = 0; i < n_certs; i++) {
-            /* SSL_CTX_add_client_CA makes a copy of the relevant data. */
-            if (SSL_CTX_add_client_CA(ctx, certs[i]) != 1) {
-                VLOG_ERR("failed to add client certificate %"PRIuSIZE" from 
%s: %s",
-                         i, file_name,
-                         ERR_error_string(ERR_get_error(), NULL));
-            } else {
-                log_ca_cert(file_name, certs[i]);
-            }
-            X509_free(certs[i]);
-        }
-        free(certs);
+    } else if ((cert_names = SSL_load_client_CA_file(file_name) ) != NULL) {
 
+        SSL_CTX_set_client_CA_list(ctx, cert_names);
         /* Set up CAs for OpenSSL to trust in verifying the peer's
          * certificate. */
         SSL_CTX_set_cert_store(ctx, X509_STORE_new());
@@ -1281,8 +1266,10 @@ stream_ssl_set_ca_cert_file__(const char *file_name,
                      ERR_error_string(ERR_get_error(), NULL));
             return;
         }
-
         bootstrap_ca_cert = false;
+    } else if (cert_names == NULL) {
+        VLOG_ERR("failed to load client certificates  from %s: %s", 
+                 file_name, ERR_error_string(ERR_get_error(), NULL));
     }
     ca_cert.read = true;
 }
-- 
1.9.0

_______________________________________________
dev mailing list
dev@openvswitch.org
http://openvswitch.org/mailman/listinfo/dev