-
Helga Velroyen authored
It turns out, that some implementations of OpenSSL are more pedantic in checking the certficates than others. In this particular case, the SSL connection could not be established when the serial number of the certificates was not unique. To avoid this problem, this patch extends Ganeti's X509 infrastructure to set the certificate's serial number. In case of client certificates, we now use the node's UUID as serial number, because the UUIDs are assumed to be unique in a cluster. This is however still not complying to how SSL was designed to be used, but at least it is a lot better than setting every serial number to 1, which was used before and is still used for other certificates than the client certificate. Signed-off-by:
Helga Velroyen <helgav@google.com> Reviewed-by:
Klaus Aehlig <aehlig@google.com>
ab4b1cf2
