stream-ssl: Clear CAs for certificate verification before adding new ones.

If the CA certificate changed and OVS added the new CA certificate, the
change was ineffective.  Clearing the certificate store before adding the
new CA certificate fixes the problem.

I don't know exactly why this fixes the problem, but in my testing it does.

Bug #2921.
Reported-by: Dan Wendlandt <dan@nicira.com>
Reported-by: Pierre Ettori <pettori@nicira.com>

diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index 4874bbe..32f21fc 100644 (file)
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -436,6 +436,7 @@ do_ca_cert_bootstrap(struct stream *stream)
     if (!cert) {
         out_of_memory();
     }
+    SSL_CTX_set_cert_store(ctx, X509_STORE_new());
     if (SSL_CTX_load_verify_locations(ctx, ca_cert.file_name, NULL) != 1) {
         VLOG_ERR("SSL_CTX_load_verify_locations: %s",
                  ERR_error_string(ERR_get_error(), NULL));
@@ -1311,6 +1312,7 @@ stream_ssl_set_ca_cert_file__(const char *file_name, bool bootstrap)
 
         /* Set up CAs for OpenSSL to trust in verifying the peer's
          * certificate. */
+        SSL_CTX_set_cert_store(ctx, X509_STORE_new());
         if (SSL_CTX_load_verify_locations(ctx, file_name, NULL) != 1) {
             VLOG_ERR("SSL_CTX_load_verify_locations: %s",
                      ERR_error_string(ERR_get_error(), NULL));