A user report shows the message "reading CA cert
/etc/openvswitch/vswitchd.cacert created by another process" appearing
hundreds of times over a long period of time in the log. The only way I
can see that this would happen is if update_ssl_config() returned false,
indicating that the CA cert does not need to be re-read because it has not
changed. This commit should prevent that from happening.
We don't want to simply skip calling update_ssl_config() in this case,
because then the next call to stream_ssl_set_ca_cert_file() would usually
re-read the CA certificate, which is a waste of time.
Also, we might as well rate-limit the message.
NICS-9.
static DH *tmp_dh_callback(SSL *ssl, int is_export OVS_UNUSED, int keylength);
static void log_ca_cert(const char *file_name, X509 *cert);
static void stream_ssl_set_ca_cert_file__(const char *file_name,
static DH *tmp_dh_callback(SSL *ssl, int is_export OVS_UNUSED, int keylength);
static void log_ca_cert(const char *file_name, X509 *cert);
static void stream_ssl_set_ca_cert_file__(const char *file_name,
+ bool bootstrap, bool force);
static void ssl_protocol_cb(int write_p, int version, int content_type,
const void *, size_t, SSL *, void *sslv_);
static void ssl_protocol_cb(int write_p, int version, int content_type,
const void *, size_t, SSL *, void *sslv_);
+static bool update_ssl_config(struct ssl_config_file *, const char *file_name);
static short int
want_to_poll_events(int want)
static short int
want_to_poll_events(int want)
fd = open(ca_cert.file_name, O_CREAT | O_EXCL | O_WRONLY, 0444);
if (fd < 0) {
if (errno == EEXIST) {
fd = open(ca_cert.file_name, O_CREAT | O_EXCL | O_WRONLY, 0444);
if (fd < 0) {
if (errno == EEXIST) {
- VLOG_INFO("reading CA cert %s created by another process",
- ca_cert.file_name);
- stream_ssl_set_ca_cert_file(ca_cert.file_name, true);
+ VLOG_INFO_RL(&rl, "reading CA cert %s created by another process",
+ ca_cert.file_name);
+ stream_ssl_set_ca_cert_file__(ca_cert.file_name, true, true);
return EPROTO;
} else {
VLOG_ERR("could not bootstrap CA cert: creating %s failed: %s",
return EPROTO;
} else {
VLOG_ERR("could not bootstrap CA cert: creating %s failed: %s",
-stream_ssl_set_ca_cert_file__(const char *file_name, bool bootstrap)
+stream_ssl_set_ca_cert_file__(const char *file_name,
+ bool bootstrap, bool force)
{
X509 **certs;
size_t n_certs;
struct stat s;
{
X509 **certs;
size_t n_certs;
struct stat s;
+ if (!update_ssl_config(&ca_cert, file_name) && !force) {
+ return;
+ }
+
if (!strcmp(file_name, "none")) {
verify_peer_cert = false;
VLOG_WARN("Peer certificate validation disabled "
if (!strcmp(file_name, "none")) {
verify_peer_cert = false;
VLOG_WARN("Peer certificate validation disabled "
void
stream_ssl_set_ca_cert_file(const char *file_name, bool bootstrap)
{
void
stream_ssl_set_ca_cert_file(const char *file_name, bool bootstrap)
{
- if (!update_ssl_config(&ca_cert, file_name)) {
- return;
- }
-
- stream_ssl_set_ca_cert_file__(file_name, bootstrap);
+ stream_ssl_set_ca_cert_file__(file_name, bootstrap, false);
}
\f
/* SSL protocol logging. */
}
\f
/* SSL protocol logging. */