From f14848742aca978783cc7953dc3949877ca25374 Mon Sep 17 00:00:00 2001 From: Ben Pfaff Date: Thu, 5 May 2011 10:59:50 -0700 Subject: [PATCH] stream-ssl: Force CA cert file to be read when it appears during bootstrap. A user report shows the message "reading CA cert /etc/openvswitch/vswitchd.cacert created by another process" appearing hundreds of times over a long period of time in the log. The only way I can see that this would happen is if update_ssl_config() returned false, indicating that the CA cert does not need to be re-read because it has not changed. This commit should prevent that from happening. We don't want to simply skip calling update_ssl_config() in this case, because then the next call to stream_ssl_set_ca_cert_file() would usually re-read the CA certificate, which is a waste of time. Also, we might as well rate-limit the message. NICS-9. --- lib/stream-ssl.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index 02ce7f565..6509b7ee6 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -196,9 +196,10 @@ static int interpret_ssl_error(const char *function, int ret, int error, static DH *tmp_dh_callback(SSL *ssl, int is_export OVS_UNUSED, int keylength); static void log_ca_cert(const char *file_name, X509 *cert); static void stream_ssl_set_ca_cert_file__(const char *file_name, - bool bootstrap); + bool bootstrap, bool force); static void ssl_protocol_cb(int write_p, int version, int content_type, const void *, size_t, SSL *, void *sslv_); +static bool update_ssl_config(struct ssl_config_file *, const char *file_name); static short int want_to_poll_events(int want) @@ -385,9 +386,9 @@ do_ca_cert_bootstrap(struct stream *stream) fd = open(ca_cert.file_name, O_CREAT | O_EXCL | O_WRONLY, 0444); if (fd < 0) { if (errno == EEXIST) { - VLOG_INFO("reading CA cert %s created by another process", - ca_cert.file_name); - stream_ssl_set_ca_cert_file(ca_cert.file_name, true); + VLOG_INFO_RL(&rl, "reading CA cert %s created by another process", + ca_cert.file_name); + stream_ssl_set_ca_cert_file__(ca_cert.file_name, true, true); return EPROTO; } else { VLOG_ERR("could not bootstrap CA cert: creating %s failed: %s", @@ -1279,12 +1280,17 @@ log_ca_cert(const char *file_name, X509 *cert) } static void -stream_ssl_set_ca_cert_file__(const char *file_name, bool bootstrap) +stream_ssl_set_ca_cert_file__(const char *file_name, + bool bootstrap, bool force) { X509 **certs; size_t n_certs; struct stat s; + if (!update_ssl_config(&ca_cert, file_name) && !force) { + return; + } + if (!strcmp(file_name, "none")) { verify_peer_cert = false; VLOG_WARN("Peer certificate validation disabled " @@ -1329,11 +1335,7 @@ stream_ssl_set_ca_cert_file__(const char *file_name, bool bootstrap) void stream_ssl_set_ca_cert_file(const char *file_name, bool bootstrap) { - if (!update_ssl_config(&ca_cert, file_name)) { - return; - } - - stream_ssl_set_ca_cert_file__(file_name, bootstrap); + stream_ssl_set_ca_cert_file__(file_name, bootstrap, false); } /* SSL protocol logging. */ -- 2.43.0