-
Justin Pettit authored
When ovs-pki is used for CA cert generation, it generates certificates that are identical except for the public key. If multiple controllers are their own certificate authorities, the switch will receive multiple CA certs that are identical other than their key. Unfortunately, OpenSSL cannot distinguish between them. This is an excerpt of the SSL_CTX_load_verify_locations function used by vconn-ssl: Certificate matching is done based on the subject name, the key identifier (if present), and the serial number as taken from the certificate to be verified. If these data do not match, the next certificate will be tried. If a first certificate matching the parameters is found, the verification process will be performed; no other certificates for the same parameters will be searched in case of failure. To work around this, we add a bit of uniqueness to each certificate. In this commit, we add the generation time to the subject name. Please note that the CN field is limited to 64 bytes, so a bit of name compression needed to take place in order to fit the time. Bug #1782
496d0fe5