Utilities like ovs-vsctl have the ability to bootstrap CA certificate. It looks useful for ovn-nbctl to have the same ability too. One could connect over to OVN NB database over SSL for transactions without having to copy over the certificate being used by ovsdb-server backing OVN NB.
Signed-off-by: Gurucharan Shetty <[email protected]> --- lib/automake.mk | 1 + lib/ssl-bootstrap.xml | 30 ++++++++++++++++++++++++++++++ ovn/utilities/ovn-nbctl.8.xml | 1 + ovn/utilities/ovn-nbctl.c | 6 ++++++ 4 files changed, 38 insertions(+) create mode 100644 lib/ssl-bootstrap.xml diff --git a/lib/automake.mk b/lib/automake.mk index b03dd2d..b1adfce 100644 --- a/lib/automake.mk +++ b/lib/automake.mk @@ -441,6 +441,7 @@ EXTRA_DIST += \ lib/dirs.c.in \ lib/db-ctl-base.xml \ lib/ssl.xml \ + lib/ssl-bootstrap.xml \ lib/vlog.xml MAN_FRAGMENTS += \ diff --git a/lib/ssl-bootstrap.xml b/lib/ssl-bootstrap.xml new file mode 100644 index 0000000..5fd68e0 --- /dev/null +++ b/lib/ssl-bootstrap.xml @@ -0,0 +1,30 @@ +<?xml version="1.0" encoding="utf-8"?> +<dl> + <dt><code>--bootstrap-ca-cert=</code><var>cacert.pem</var></dt> + <dd> + <p> + When <var>cacert.pem</var> exists, this option has the same effect + as <code>-C</code> or <code>--ca-cert</code>. If it does not exist, + then the executable will attempt to obtain the CA certificate from the + SSL peer on its first SSL connection and save it to the named PEM + file. If it is successful, it will immediately drop the connection + and reconnect, and from then on all SSL connections must be + authenticated by a certificate signed by the CA certificate thus + obtained. + </p> + <p> + This option exposes the SSL connection to a man-in-the-middle + attack obtaining the initial CA certificate, but it may be useful + for bootstrapping. + </p> + <p> + This option is only useful if the SSL peer sends its CA certificate as + part of the SSL certificate chain. The SSL protocol does not require + the server to send the CA certificate. + </p> + <p> + This option is mutually exclusive with <code>-C</code> and + <code>--ca-cert</code>. + </p> + </dd> +</dl> diff --git a/ovn/utilities/ovn-nbctl.8.xml b/ovn/utilities/ovn-nbctl.8.xml index 4911c6a..f95b88d 100644 --- a/ovn/utilities/ovn-nbctl.8.xml +++ b/ovn/utilities/ovn-nbctl.8.xml @@ -829,6 +829,7 @@ database. </p> <xi:include href="lib/ssl.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/> + <xi:include href="lib/ssl-bootstrap.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/> <h2>Other Options</h2> diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c index 4397daf..f0ff27a 100644 --- a/ovn/utilities/ovn-nbctl.c +++ b/ovn/utilities/ovn-nbctl.c @@ -165,6 +165,7 @@ parse_options(int argc, char *argv[], struct shash *local_options) OPT_LOCAL, OPT_COMMANDS, OPT_OPTIONS, + OPT_BOOTSTRAP_CA_CERT, VLOG_OPTION_ENUMS, TABLE_OPTION_ENUMS, SSL_OPTION_ENUMS, @@ -183,6 +184,7 @@ parse_options(int argc, char *argv[], struct shash *local_options) {"version", no_argument, NULL, 'V'}, VLOG_LONG_OPTIONS, STREAM_SSL_LONG_OPTIONS, + {"bootstrap-ca-cert", required_argument, NULL, OPT_BOOTSTRAP_CA_CERT}, TABLE_LONG_OPTIONS, {NULL, 0, NULL, 0}, }; @@ -286,6 +288,10 @@ parse_options(int argc, char *argv[], struct shash *local_options) TABLE_OPTION_HANDLERS(&table_style) STREAM_SSL_OPTION_HANDLERS + case OPT_BOOTSTRAP_CA_CERT: + stream_ssl_set_ca_cert_file(optarg, true); + break; + case '?': exit(EXIT_FAILURE); -- 1.9.1 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
