Re: [openssl-dev] ovsdb-client connected error when i update the ovsdb-server ca_cert.pem file

2015-10-12 Thread Liuyongqiang (A) 
Does anybody know why ovsdb-server only use the openssl api 
SSL_CTX_add_client_CA to add certificate, but have no delete api to delete 
certificate.

I found that if I update ca_crt.pem  many times(SSL_CTX_add_client_CA add 649 
certificates), the error of ovsdb-client connecting ovsdb-server will occur,  I 
found that there are 649 certificates in stack  list ctx->client_CA when the 
error occurred.

Are there any limits on stack list ctx->client_CA?
___
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev

[openssl-dev] ovsdb-client connected error when i update the ovsdb-server ca_cert.pem file

2015-10-10 Thread Liuyongqiang (A) 
Hi, all
There is a probability error when I update the ovsdb-server ca_cert.pem file, 
the ovsdb-client was unable to connect to the ovsdb-server when it hanppened, 
the OVS version is 2.0.2.

the update action steps on server:
step1: rm ca_cert.pem
step2: openssl x509 -inform PEM -in ca_cert.pem > /home/ca_cert.pem

the server update script :

#!/bin/bash

SRC_CA_CRT_FILE=/home/pem/oam-network-agent_ca_crt.pem

DST_CA_CRT_FILE=/home/oam-network-agent_ca_crt.pem

for((i=0; i<5; i++));do

rm -f $DST_CA_CRT_FILE
sleep 0.5
openssl x509 -inform PEM -in $SRC_CA_CRT_FILE > /home/ca_crt.pem.tmp
mv /home/ca_crt.pem.tmp $DST_CA_CRT_FILE

echo "update-result $?-$i"

done

the client connect script:

for((i=0; i<5; i++));do

ovsdb-client -v -p /home/oam-network-agent_private_key.pem -c 
oam-network-agent_crt.pem -C /home/oam-network-agent_ca_crt.pem get-schema 
ssl:9.42.3.9:6632 Open_vSwitch
sleep 0.5
echo $i
done

running server update script and client connect script on the sametime, after a 
period of time, the ovsdb-client can not connect the server, the error like 
ERROR1 and ERROR2.

I have found the direct cause is concurrency write-read file issues, the 
ovsdb-server probably read the wrong certificate from ca_cert.pem file, but 
this error is unrecoverable, it need to restart OVS to fix,
did someone know about this problem?

The ovsdb-client connected error like this:

ERROR1:
# ovsdb-client -v -p /home/oam-network-agent_private_key.pem -c 
oam-network-agent_crt.pem -C /home/oam-network-agent_ca_crt.pem get-schema 
ssl:9.42.3.9:6632 Open_vSwitch
2015-09-25T10:54:36Z|1|stream_ssl|INFO|Trusting CA cert from 
/home/oam-network-agent_ca_crt.pem 
(/C=CN/ST=ZheJiang/O=Huawei/OU=Huawei/CN=*.*.*.domainname.com) (fingerprint 
22:a3:49:97:e1:44:ab:fb:96:29:60:ab:b8:fc:69:8b:7d:af:6c:6e)
2015-09-25T10:54:36Z|2|poll_loop|DBG|wakeup due to 0-ms timeout
2015-09-25T10:54:36Z|3|poll_loop|DBG|wakeup due to [POLLOUT] on fd 4 
(9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:716
2015-09-25T10:54:36Z|4|stream_ssl|DBG|client0-->ssl:9.42.3.9:6632 
handshake: client_hello (85 bytes)
2015-09-25T10:54:36Z|5|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 
(9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T10:54:36Z|6|stream_ssl|DBG|client0<--ssl:9.42.3.9:6632 
handshake: server_hello (53 bytes)
2015-09-25T10:54:36Z|7|stream_ssl|DBG|client0<--ssl:9.42.3.9:6632 
handshake: certificate (1944 bytes)
2015-09-25T10:54:36Z|8|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 
(9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T10:54:36Z|9|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 
(9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T10:54:36Z|00010|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 
(9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T10:54:36Z|00011|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 
(9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T10:54:36Z|00012|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 
(9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T10:54:36Z|00013|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 
(9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T10:54:36Z|00014|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 
(9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T10:54:36Z|00015|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 
(9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T10:54:36Z|00016|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 
(9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T10:54:36Z|00017|poll_loop|DBG|wakeup due to [POLLIN] on fd 4 
(9.62.243.149:54185<->9.42.3.9:6632) at lib/stream-ssl.c:723
2015-09-25T10:54:36Z|00048|stream_ssl|DBG|client0<--ssl:9.42.3.9:6632 
handshake: certificate_request (65559 bytes)
2015-09-25T10:54:36Z|00049|stream_ssl|DBG|client0-->ssl:9.42.3.9:6632 alert: 
fatal, decode_error (2 bytes)
2015-09-25T10:54:36Z|00050|stream_ssl|WARN|SSL_connect: error:1408709F:SSL 
routines:SSL3_GET_CERTIFICATE_REQUEST:length mismatch
ovsdb-client: failed to connect to "ssl:9.42.3.9:6632" (Protocol error)

ERROR2:
# ovsdb-client -v -p /home/oam-network-agent_private_key.pem -c 
oam-network-agent_crt.pem -C /home/oam-network-agent_ca_crt.pem get-schema 
ssl:9.42.3.9:6632 Open_vSwitch
2015-09-25T11:01:06Z|1|stream_ssl|INFO|Trusting CA cert from 
/home/oam-network-agent_ca_crt.pem 
(/C=CN/ST=ZheJiang/O=Huawei/OU=Huawei/CN=*.*.*.domainname.com) (fingerprint 
22:a3:49:97:e1:44:ab:fb:96:29:60:ab:b8:fc:69:8b:7d:af:6c:6e)
2015-09-25T11:01:06Z|2|poll_loop|DBG|wakeup due to 0-ms timeout
2015-09-25T11:01:06Z|3|poll_loop|DBG|wakeup due to [POLLOUT] on fd 4 
(9.62.243.149:54288<->9.42.3.9:6632) at lib/stream-ssl.c:716
2015-09-25T11:01:06Z|4|stream_ssl|DBG|client0-->ssl:9.42.3.9:6632 
handshake: c