« Previous | Next » 

Revision ab4b1cf2

IDab4b1cf20b3b86f02ef932327a60a6529cdac6bf

Added by Helga Velroyen almost 7 years ago

Use node UUID as client certificate serial number

It turns out, that some implementations of OpenSSL are more
pedantic in checking the certficates than others. In this
particular case, the SSL connection could not be
established when the serial number of the certificates
was not unique.

To avoid this problem, this patch extends Ganeti's X509
infrastructure to set the certificate's serial
number. In case of client certificates, we now use the
node's UUID as serial number, because the UUIDs are
assumed to be unique in a cluster. This is however still
not complying to how SSL was designed to be used, but at
least it is a lot better than setting every serial number
to 1, which was used before and is still used for other
certificates than the client certificate.

Signed-off-by: Helga Velroyen <>
Reviewed-by: Klaus Aehlig <>

Files

  • added
  • modified
  • copied
  • renamed
  • deleted

View differences