Re: [ovs-discuss] SSL Configuration

Fri, 04 Apr 2014 19:19:30 -0700 

I did some discussion here:
https://lists.opendaylight.org/pipermail/controller-dev/2014-April/003504.html
But still did not manage to make it work.
I followed instructions in INSTALL.SSL (Here: 
https://github.com/homework/openvswitch/blob/master/INSTALL.SSL )
and ran these commands to configure SSL and find out what's wrong with it:
 
mininet> s1 ovs-vsctl del-controller "s1"
mininet> s1 ovs-vsctl set-controller "s1" "ssl:127.0.0.1"
mininet> s1 ovs-vsctl list controllers
ovs-vsctl: unknown table "controllers"
mininet> s1 ovs-vsctl list controller
_uuid               : 7f00b252-c018-471c-9ecc-567b8cae2293
connection_mode     : []
controller_burst_limit: []
controller_rate_limit: []
enable_async_messages: []
external_ids        : {}
inactivity_probe    : []
is_connected        : false
local_gateway       : []
local_ip            : []
local_netmask       : []
max_backoff         : []
other_config        : {}
role                : other
status              : {last_error="Protocol not available", state=BACKOFF}
target              : "ssl:127.0.0.1"
 
 
 
I also viewed /var/log/openvswitch/ovs-vswitchd.log and seen messages like 
these:
 
2014-04-05T01:51:58.391Z|00135|stream_ssl|ERR|Private key must be configured to 
use SSL
2014-04-05T01:51:58.391Z|00136|stream_ssl|ERR|Certificate must be configured to 
use SSL
2014-04-05T01:51:58.391Z|00137|rconn|WARN|s1<->ssl:127.0.0.1: connection failed 
(Protocol not available)
 
I don't know what did I do wrong, when following INSTALL.SSL instructions. Can 
you help me?
 
In this file: 
http://openvswitch.org/cgi-bin/ovsman.cgi?page=utilities%2Fovs-vsctl.8
in part SSL Configuration I found these lines.
 
When ovs−vswitchd is configured to connect over SSL for management or 
controller connectivity, the following parameters are required:
 private-key
 Specifies a PEM file containing the private key used as the virtual switch’s 
identity for SSL connections to the controller.
 certificate
 Specifies a PEM file containing a certificate, signed by the certificate 
authority (CA) used by the controller and manager, that certifies the virtual 
switch’s private key, identifying a trustworthy switch.
 ca-cert
 Specifies a PEM file containing the CA certificate used to verify that the 
virtual switch is connected to a trustworthy controller.
 These files are read only once, at ovs−vswitchd startup time. If their 
contents change, ovs−vswitchd must be killed and restarted.
 
 
However those files already exist. Does the switch really read them when 
starting? If not, how can I make it to do so?
 
______________________________________________________________

Od: <[email protected]>
Komu: Justin Pettit <[email protected]>
Datum: 02.04.2014 23:57
Předmět: Re: [ovs-discuss] SSL Configuration

CC: [email protected]

Sure. I agree that this is probably a configuration issue. This is my current 
config. Now I am trying to use controller on the localhost. However I am not 
sure if this is all necessary info to find out what's wrong with it.

8625e529-b120-425d-ae73-39757be6e38b
    Manager "ptcp:6640"
    Bridge "s1"
        Controller "ssl:127.0.0.1"
        Controller "pssl:6634"
        fail_mode: secure
        Port "s1"
            Interface "s1"
                type: internal
        Port "s1-eth2"
            Interface "s1-eth2"
        Port "s1-eth1"
            Interface "s1-eth1"
    ovs_version: "2.0.0"



______________________________________________________________

Od: Justin Pettit <[email protected]>
Komu: <[email protected]>
Datum: 31.03.2014 23:00
Předmět: Re: [ovs-discuss] SSL Configuration

CC: [email protected]
You'd need to provide more information.  SSL is normally used to connect switches to controllers, so I'd be surprised if it is not a configuration issue. 

--Justin


[email protected] wrote:

Thank you. But is that all? Now controller is not flooded with OF Hello 
messages, but I still do not detect TLS handshake.
______________________________________________________________

Od: Justin Pettit<[email protected]>
Komu:<[email protected]>
Datum: 27.03.2014 05:19
Předmět: Re: [ovs-discuss] SSL Configuration

CC: [email protected]

[email protected] wrote:


I have noticed that it is still configured to use tcp. How can I change
that?


       ovs-vsctl del-controller s2
      ovs-vsctl set-controller s2 "ssl:192.168.56.101"

--Justin



----------

_______________________________________________
discuss mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/discuss 
<http://openvswitch.org/mailman/listinfo/discuss>


_______________________________________________
discuss mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/discuss

Reply via email to