Good to know I guess.
-----Original Message----- From: Ben Pfaff [mailto:b...@ovn.org] Sent: Monday, January 11, 2016 12:30 PM To: Tandulwadkar, Sanket Ravindra (Sanket Ravindra) Cc: b...@openvswitch.org Subject: Re: [ovs-discuss] Configuring Open vSwitch for SSL - Question about using switch certificate authority method On Wed, Jan 06, 2016 at 04:38:37PM +0000, Tandulwadkar, Sanket Ravindra (Sanket Ravindra) wrote: > I wanted to know what channel is used by OvS to fetch the CA > certificate from the controller in bootstrap mode? Is it over SSL, OF, > TCP or something else? It obtains the CA certificate from the SSL connection. The documentation in the manpage tries to explain this: --bootstrap-ca-cert=cacert.pem When cacert.pem exists, this option has the same effect as -C or --ca-cert. If it does not exist, then ovs-vsctl will attempt to obtain the CA certificate from the SSL peer on its first SSL connection and save it to the named PEM file. If it is success‐ ful, it will immediately drop the connection and reconnect, and from then on all SSL connections must be authenticated by a cer‐ tificate signed by the CA certificate thus obtained. This option exposes the SSL connection to a man-in-the-middle attack obtaining the initial CA certificate, but it may be use‐ ful for bootstrapping. This option is only useful if the SSL peer sends its CA certifi‐ cate as part of the SSL certificate chain. The SSL protocol does not require the server to send the CA certificate. This option is mutually exclusive with -C and --ca-cert. > Also, I am trying to understand the need of having this CA certificate on OvS. > > My current scenario - > I have a northbound application on top of my controller who > signs the OvS certificate. When the certificate is signed and sent back, I am > setting the certificates on OvS and establishing the SSL connection. On my > controller, I am using OpenDaylight and storing the same CAcert that signs > the OvS certificate in truststore.jks file which maintains the OvS keys or > CAcert depending on the way we use OvS. > > I was wondering why is the CAcert being pulled by OvS if it is signed by the > same CAcert preset in the ODL truststrore.jks. You don't have to use the bootstrap feature. In fact, if you already have the correct CA certificate on the OVS host, then you shouldn't use it. _______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
