stream-ssl: Get peer-ca-cert functionality to work.

author Gurucharan Shetty <gshetty@nicira.com>

Wed, 2 Sep 2015 18:38:32 +0000 (11:38 -0700)

committer Gurucharan Shetty <gshetty@nicira.com>

Fri, 18 Sep 2015 19:49:42 +0000 (12:49 -0700)
author Gurucharan Shetty <gshetty@nicira.com>
Wed, 2 Sep 2015 18:38:32 +0000 (11:38 -0700)
committer Gurucharan Shetty <gshetty@nicira.com>
Fri, 18 Sep 2015 19:49:42 +0000 (12:49 -0700)
diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c

index 8b063ba..564c94c 100644 (file)
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -1071,7 +1071,7 @@ stream_ssl_set_private_key_file(const char *file_name)
  static void
  stream_ssl_set_certificate_file__(const char *file_name)
  {
-    if (SSL_CTX_use_certificate_chain_file(ctx, file_name) == 1) {
+    if (SSL_CTX_use_certificate_file(ctx, file_name, SSL_FILETYPE_PEM) == 1) {
          certificate.read = true;
      } else {
          VLOG_ERR("SSL_use_certificate_file: %s",
diff --git a/tests/ovs-vsctl.at b/tests/ovs-vsctl.at

index 7664c89..2795370 100644 (file)
--- a/tests/ovs-vsctl.at
+++ b/tests/ovs-vsctl.at
@@ -1334,3 +1334,30 @@ AT_CHECK([ovs-vsctl -t 5 --no-wait --db=ssl:127.0.0.1:$SSL_PORT --private-key=$P
  
  OVSDB_SERVER_SHUTDOWN
  AT_CLEANUP
+
+AT_SETUP([peer ca cert])
+AT_KEYWORDS([ovs-vsctl ssl])
+AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
+PKIDIR=`pwd`
+OVS_PKI="sh $abs_top_srcdir/utilities/ovs-pki.in --dir=$PKIDIR/pki --log=$PKIDIR/ovs-pki.log"
+AT_CHECK([$OVS_PKI -B 1024 init && $OVS_PKI -B 1024 req+sign vsctl switch && $OVS_PKI -B 1024 req+sign ovsdbserver controller], [0], [ignore], [ignore])
+
+dnl Create database.
+OVSDB_INIT([conf.db])
+AT_CHECK([ovsdb-server --detach --no-chdir --pidfile="`pwd`"/pid --private-key=$PKIDIR/ovsdbserver-privkey.pem --certificate=$PKIDIR/ovsdbserver-cert.pem --ca-cert=$PKIDIR/pki/switchca/cacert.pem --peer-ca-cert=$PKIDIR/pki/controllerca/cacert.pem --remote=pssl:0:127.0.0.1 --unixctl="`pwd`"/unixctl --log-file="`pwd`"/ovsdb-server.log conf.db], [0], [ignore], [ignore])
+on_exit "kill `cat pid`"
+SSL_PORT=`parse_listening_port < ovsdb-server.log`
+
+# During bootstrap, the connection gets torn down. So the o/p of ovs-vsctl is error.
+AT_CHECK([ovs-vsctl -t 5 --db=ssl:127.0.0.1:$SSL_PORT --private-key=$PKIDIR/vsctl-privkey.pem --certificate=$PKIDIR/vsctl-cert.pem --bootstrap-ca-cert=$PKIDIR/cacert.pem show], [1], [ignore], [ignore])
+
+# If the bootstrap was successful, the following file should exist.
+OVS_WAIT_UNTIL([test -e $PKIDIR/cacert.pem])
+
+# After bootstrap, the connection should be successful.
+AT_CHECK([ovs-vsctl -t 5 --no-wait --db=ssl:127.0.0.1:$SSL_PORT --private-key=$PKIDIR/vsctl-privkey.pem --certificate=$PKIDIR/vsctl-cert.pem --bootstrap-ca-cert=$PKIDIR/cacert.pem add-br br0], [0])
+AT_CHECK([ovs-vsctl -t 5 --no-wait --db=ssl:127.0.0.1:$SSL_PORT --private-key=$PKIDIR/vsctl-privkey.pem --certificate=$PKIDIR/vsctl-cert.pem --bootstrap-ca-cert=$PKIDIR/cacert.pem list-br], [0], [br0
+])
+
+OVSDB_SERVER_SHUTDOWN
+AT_CLEANUP
author	Gurucharan Shetty <gshetty@nicira.com>
	Wed, 2 Sep 2015 18:38:32 +0000 (11:38 -0700)
committer	Gurucharan Shetty <gshetty@nicira.com>
	Fri, 18 Sep 2015 19:49:42 +0000 (12:49 -0700)
lib/stream-ssl.c		patch \| blob \| history
tests/ovs-vsctl.at		patch \| blob \| history