Allow clock skews in certificate verification (f97a7ada) · Commits · itminedu / snf-ganeti

Commit f97a7ada authored 12 years ago by Iustin Pop

Allow clock skews in certificate verification


Currently we allow for up to NODE_MAX_CLOCK_SKEW time difference
between nodes in some operations, but not everywhere: SSL certificate
verification (import/export, both intra and inter-cluster) has a zero
limit (downwards), and a week upwards. This can cause even
intra-cluster backup problems, if the source node has a time even two
seconds in the future.

To fix this, when we verify certificates compare with a time offset
with the max skew, which fixes the lower bound and reduces the upper
bound by an insignificant amount (0.04%).

Signed-off-by: Iustin Pop <iustin@google.com>
Reviewed-by: Michael Hanselmann <hansmi@google.com>

parent ff779c32

No related branches found

No related tags found

Hide whitespace changes

Inline Side-by-side

Showing with 42 additions and 3 deletions

Please register or to comment