1. 10 Jul, 2017 1 commit
  2. 04 May, 2017 1 commit
  3. 22 Jul, 2016 1 commit
  4. 22 Mar, 2016 1 commit
  5. 25 Aug, 2015 1 commit
  6. 22 Sep, 2014 1 commit
    • Alex Wang's avatar
      ovs-pki: Use SHA-1 instead of SHA-512 as message digest. · 4a1f9610
      Alex Wang authored
      Commit 9ff33ca7 (ovs-pki: Use SHA-512 instead of MD5 as message
      digest.) changes the message digest algorithm to SHA-512.  This
      seems to break the unit tests on some xenserver 5.6/6.0 builds
      causing the error: "SSL_connect: error:0D0C50A1:asn1 encoding
      routines:ASN1_item_verify:unknown message digest algorithm".
      
      As a solution, this commit changes the message digest algorithm
      to SHA-1 which works for both the above xenserver builds and
      centos 7.
      
      VMware-BZ: #1319116
      Signed-off-by: default avatarAlex Wang <alexw@nicira.com>
      Acked-by: default avatarBen Pfaff <blp@nicira.com>
      4a1f9610
  7. 19 Sep, 2014 1 commit
  8. 14 May, 2014 2 commits
  9. 08 May, 2013 1 commit
    • Ben Pfaff's avatar
      ovs-pki: Reduce CA certificate validity to 10 years to fix 32-bit OpenSSL. · d652859b
      Ben Pfaff authored
      Before I applied this commit, when I generated CA certificate with OpenSSL
      0.9.8o on my 32-bit Debian system, I got a certificate that expired
      sometime in 1977.  This made all SSL-based tests fail with an invalid
      certificate.
      
      32-bit time_t only extends to 2038, so this must be a bug in OpenSSL.
      This commit works around the problem by reducing the validity period of
      certificates to 10 years.
      
      CC: Gurucharan Shetty <gshetty@nicira.com>
      Signed-off-by: default avatarBen Pfaff <blp@nicira.com>
      d652859b
  10. 22 Apr, 2013 1 commit
  11. 08 Feb, 2013 1 commit
  12. 22 Oct, 2012 1 commit
  13. 15 Oct, 2012 1 commit
  14. 06 Aug, 2012 1 commit
  15. 31 Jul, 2012 1 commit
  16. 02 May, 2012 1 commit
  17. 13 Mar, 2012 1 commit
    • Ben Pfaff's avatar
      Use `pwd` in place of $PWD, treewide. · 37d03458
      Ben Pfaff authored
      The Autoconf manual says:
      
           Posix 1003.1-2001 requires that `cd' and `pwd' must update the
           `PWD' environment variable to point to the logical name of the
           current directory, but traditional shells do not support this.
           This can cause confusion if one shell instance maintains `PWD' but
           a subsidiary and different shell does not know about `PWD' and
           executes `cd'; in this case `PWD' points to the wrong directory.
           Use ``pwd`' rather than `$PWD'.
      
      so this commit replaces all uses of $PWD by `pwd`.
      Reported-by: default avatarJustin Pettit <jpettit@nicira.com>
      Signed-off-by: default avatarBen Pfaff <blp@nicira.com>
      37d03458
  18. 12 Mar, 2012 1 commit
  19. 10 Jan, 2011 1 commit
  20. 08 Dec, 2010 1 commit
  21. 06 Aug, 2010 3 commits
  22. 29 Jun, 2010 1 commit
    • Ben Pfaff's avatar
      ovs-pki: Allow generating certificates with duplicate subjects. · c6c9e1e3
      Ben Pfaff authored
      Without this setting, the certificate authorities that ovs-pki creates will
      not allow two switches or two controllers to have the same name.  This
      causes problem in testing, since it's often convenient to test with short,
      common names like "tmp".
      
      (If you need to fix a PKI that you already created, in addition to
      modifying ca.cnf you will need to make the same change to index.txt.attr.)
      
      CC: Pierre Ettori <pettori@nicira.com>
      c6c9e1e3
  23. 01 Feb, 2010 1 commit
  24. 16 Sep, 2009 1 commit
  25. 13 Aug, 2009 2 commits
    • Justin Pettit's avatar
      ovs-pki: Add uniqueness to CA certs · 496d0fe5
      Justin Pettit authored
      When ovs-pki is used for CA cert generation, it generates certificates
      that are identical except for the public key.  If multiple controllers are
      their own certificate authorities, the switch will receive multiple CA
      certs that are identical other than their key.  Unfortunately, OpenSSL
      cannot distinguish between them.  This is an excerpt of the
      SSL_CTX_load_verify_locations function used by vconn-ssl:
      
          Certificate matching is done based on the subject name, the key
          identifier (if present), and the serial number as taken from the
          certificate to be verified. If these data do not match, the next
          certificate will be tried. If a first certificate matching the
          parameters is found, the verification process will be performed; no
          other certificates for the same parameters will be searched in case of
          failure.
      
      To work around this, we add a bit of uniqueness to each certificate.  In
      this commit, we add the generation time to the subject name.  Please note
      that the CN field is limited to 64 bytes, so a bit of name compression
      needed to take place in order to fit the time.
      
      Bug #1782
      496d0fe5
    • Justin Pettit's avatar
      ovs-pki: Add uniqueness to CA certs · a20d2466
      Justin Pettit authored
      When ovs-pki is used for CA cert generation, it generates certificates
      that are identical except for the public key.  If multiple controllers are
      their own certificate authorities, the switch will receive multiple CA
      certs that are identical other than their key.  Unfortunately, OpenSSL
      cannot distinguish between them.  This is an excerpt of the
      SSL_CTX_load_verify_locations function used by vconn-ssl:
      
          Certificate matching is done based on the subject name, the key
          identifier (if present), and the serial number as taken from the
          certificate to be verified. If these data do not match, the next
          certificate will be tried. If a first certificate matching the
          parameters is found, the verification process will be performed; no
          other certificates for the same parameters will be searched in case of
          failure.
      
      To work around this, we add a bit of uniqueness to each certificate.  In
      this commit, we add the generation time to the subject name.  Please note
      that the CN field is limited to 64 bytes, so a bit of name compression
      needed to take place in order to fit the time.
      
      Bug #1782
      a20d2466
  26. 15 Jun, 2009 1 commit
  27. 08 Jul, 2009 1 commit