On Wed, Nov 22, 2017 at 09:49:10AM +0100, Emmanuel Kasper wrote: > This will be used later for feeding an extra API call > > Signed-off-by: Emmanuel Kasper <e.kas...@proxmox.com> > --- > data/PVE/Cluster.pm | 51 ++++++++++++++++++++++++++++++++++++++++----------- > 1 file changed, 40 insertions(+), 11 deletions(-) > > diff --git a/data/PVE/Cluster.pm b/data/PVE/Cluster.pm > index fef5842..5d69f0c 100644 > --- a/data/PVE/Cluster.pm > +++ b/data/PVE/Cluster.pm > @@ -1443,6 +1443,42 @@ cfs_register_file('datacenter.cfg', > \&parse_datacenter_config, > \&write_datacenter_config); > > +sub get_node_ssl_cert { > + my ($node) = @_; > + > + my $cert_path = "/etc/pve/nodes/$node/pve-ssl.pem"; > + my $custom_cert_path = "/etc/pve/nodes/$node/pveproxy-ssl.pem";
this is missing the line overriding $cert_path with $custom_cert_path if the latter exists, so this would break custom SSL certificates.. > + > + my $cert; > + > + eval { > + my $bio = Net::SSLeay::BIO_new_file($cert_path, 'r'); > + $cert = Net::SSLeay::PEM_read_bio_X509($bio); > + Net::SSLeay::BIO_free($bio); > + }; > + > + my $err = $@; > + > + if ($err || !defined($cert)) { > + die "unable to read host SSL cert at $cert_path $err\n"; potentially undefined $err > + } > + return $cert; > +} > + > +sub get_cert_fingerprint { > + my ($cert) = @_; > + my $fingerprint; > + eval { > + $fingerprint = Net::SSLeay::X509_get_fingerprint($cert, 'sha256'); > + }; > + > + my $err = $@; > + if ($err || !defined($fingerprint) || $fingerprint eq '') { > + die "unable to fingerprint the SSL cert $err\n"; potentially undefined $err, and we don't know which certificate the die refers to.. maybe we could combine get_node_ssl_cert and get_cert_fingerprint and their error handling in update_cert_cache (the latter does the same no matter which operation fails)? that would make your second patch obsolete as well ;) > + } > + return $fingerprint; > +} > + > # X509 Certificate cache helper > > my $cert_cache_nodes = {}; > @@ -1470,29 +1506,22 @@ sub update_cert_cache { > } > }; > > - my $cert_path = "/etc/pve/nodes/$node/pve-ssl.pem"; > - my $custom_cert_path = "/etc/pve/nodes/$node/pveproxy-ssl.pem"; > - > - $cert_path = $custom_cert_path if -f $custom_cert_path; > - > my $cert; > eval { > - my $bio = Net::SSLeay::BIO_new_file($cert_path, 'r'); > - $cert = Net::SSLeay::PEM_read_bio_X509($bio); > - Net::SSLeay::BIO_free($bio); > + $cert = get_node_ssl_cert($node); > }; > my $err = $@; > - if ($err || !defined($cert)) { > + if ($err) { > &$clear_old() if $clear; > next; > } > > my $fp; > eval { > - $fp = Net::SSLeay::X509_get_fingerprint($cert, 'sha256'); > + $fp = get_cert_fingerprint($cert); > }; > $err = $@; > - if ($err || !defined($fp) || $fp eq '') { > + if ($err) { > &$clear_old() if $clear; > next; > } > -- > 2.11.0 > > > _______________________________________________ > pve-devel mailing list > pve-devel@pve.proxmox.com > https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel