• Helga Velroyen's avatar
    Use node UUID as client certificate serial number · ab4b1cf2
    Helga Velroyen authored
    It turns out, that some implementations of OpenSSL are more
    pedantic in checking the certficates than others. In this
    particular case, the SSL connection could not be
    established when the serial number of the certificates
    was not unique.
    
    To avoid this problem, this patch extends Ganeti's X509
    infrastructure to set the certificate's serial
    number. In case of client certificates, we now use the
    node's UUID as serial number, because the UUIDs are
    assumed to be unique in a cluster. This is however still
    not complying to how SSL was designed to be used, but at
    least it is a lot better than setting every serial number
    to 1, which was used before and is still used for other
    certificates than the client certificate.
    Signed-off-by: default avatarHelga Velroyen <helgav@google.com>
    Reviewed-by: default avatarKlaus Aehlig <aehlig@google.com>
    ab4b1cf2
backend.py 146 KB