Until now, the ovs-vswitchd main loop has refreshed keys and certificates
from their files only when the database changes. This works fine if new
keys and certificates are installed with new file names, because the update
to the database to point to the new files will cause them to be read. But
if the new keys and certificates are copied over the existing files, then
the delay until they are read is indefinite.
This commit fixes the problem by changing the SSL configuration so that it
is rechecked on every trip through the ovs-vswitchd main loop.
Bug #2921.
svec_destroy(&dpif_types);
}
svec_destroy(&dpif_types);
}
-#ifdef HAVE_OPENSSL
-static void
-bridge_configure_ssl(const struct ovsrec_ssl *ssl)
-{
- /* XXX SSL should be configurable on a per-bridge basis. */
- if (ssl) {
- stream_ssl_set_key_and_cert(ssl->private_key, ssl->certificate);
- stream_ssl_set_ca_cert_file(ssl->ca_cert, ssl->bootstrap_ca_cert);
- }
-}
-#endif
-
/* Attempt to create the network device 'iface_name' through the netdev
* library. */
static int
/* Attempt to create the network device 'iface_name' through the netdev
* library. */
static int
shash_destroy(&old_br);
shash_destroy(&new_br);
shash_destroy(&old_br);
shash_destroy(&new_br);
-#ifdef HAVE_OPENSSL
- /* Configure SSL. */
- bridge_configure_ssl(ovs_cfg->ssl);
-#endif
-
/* Reconfigure all bridges. */
LIST_FOR_EACH (br, struct bridge, node, &all_bridges) {
bridge_reconfigure_one(br);
/* Reconfigure all bridges. */
LIST_FOR_EACH (br, struct bridge, node, &all_bridges) {
bridge_reconfigure_one(br);
+ const struct ovsrec_open_vswitch *cfg;
+
struct bridge *br;
/* Let each bridge do the work that it needs to do. */
struct bridge *br;
/* Let each bridge do the work that it needs to do. */
}
/* (Re)configure if necessary. */
}
/* (Re)configure if necessary. */
- if (ovsdb_idl_run(idl) || datapath_destroyed) {
- const struct ovsrec_open_vswitch *cfg = ovsrec_open_vswitch_first(idl);
+ database_changed = ovsdb_idl_run(idl);
+ cfg = ovsrec_open_vswitch_first(idl);
+ if (database_changed || datapath_destroyed) {
if (cfg) {
struct ovsdb_idl_txn *txn = ovsdb_idl_txn_create(idl);
if (cfg) {
struct ovsdb_idl_txn *txn = ovsdb_idl_txn_create(idl);
+#ifdef HAVE_OPENSSL
+ /* Re-configure SSL. We do this on every trip through the main loop,
+ * instead of just when the database changes, because the contents of the
+ * key and certificate files can change without the database changing. */
+ if (cfg && cfg->ssl) {
+ const struct ovsrec_ssl *ssl = cfg->ssl;
+
+ stream_ssl_set_key_and_cert(ssl->private_key, ssl->certificate);
+ stream_ssl_set_ca_cert_file(ssl->ca_cert, ssl->bootstrap_ca_cert);
+ }
+#endif
+
/* Refresh interface stats if necessary. */
if (time_msec() >= iface_stats_timer) {
struct ovsdb_idl_txn *txn;
/* Refresh interface stats if necessary. */
if (time_msec() >= iface_stats_timer) {
struct ovsdb_idl_txn *txn;