From: Ben Pfaff <blp@nicira.com>
Date: Wed, 15 Jun 2011 18:50:24 +0000 (-0700)
Subject: stream-ssl: Clear CAs for certificate verification before adding new ones.
X-Git-Tag: v1.1.2~11
X-Git-Url: http://git.onelab.eu/?p=sliver-openvswitch.git;a=commitdiff_plain;h=9df30404d9f806daa6f9851412b2a295f3540e75

stream-ssl: Clear CAs for certificate verification before adding new ones.

If the CA certificate changed and OVS added the new CA certificate, the
change was ineffective.  Clearing the certificate store before adding the
new CA certificate fixes the problem.

I don't know exactly why this fixes the problem, but in my testing it does.

Bug #2921.
Reported-by: Dan Wendlandt <dan@nicira.com>
Reported-by: Pierre Ettori <pettori@nicira.com>
---

diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index 4874bbe48..32f21fcb9 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -436,6 +436,7 @@ do_ca_cert_bootstrap(struct stream *stream)
     if (!cert) {
         out_of_memory();
     }
+    SSL_CTX_set_cert_store(ctx, X509_STORE_new());
     if (SSL_CTX_load_verify_locations(ctx, ca_cert.file_name, NULL) != 1) {
         VLOG_ERR("SSL_CTX_load_verify_locations: %s",
                  ERR_error_string(ERR_get_error(), NULL));
@@ -1311,6 +1312,7 @@ stream_ssl_set_ca_cert_file__(const char *file_name, bool bootstrap)
 
         /* Set up CAs for OpenSSL to trust in verifying the peer's
          * certificate. */
+        SSL_CTX_set_cert_store(ctx, X509_STORE_new());
         if (SSL_CTX_load_verify_locations(ctx, file_name, NULL) != 1) {
             VLOG_ERR("SSL_CTX_load_verify_locations: %s",
                      ERR_error_string(ERR_get_error(), NULL));