>> >> Giving a second thought, it seems there is still a problem. >> >> There should be two sets of SSL related parameters we should consider in the active-standby scenario. >> - One set of parameters is for the server side. For ipaddr2 use case, both active and standby nodes will need them. For LB use case, where only the active node should listen on the port, only the active node should need these parameters. >> - Another set of parameters is for the client side, together with the --sync-from parameter, so that the standby node can connect to the active node as a client using SSL. These parameters are needed in standby node only. >> >> I didn't see how is this addressed. Did I miss anything? >> >> For the server side SSL parameters, it should be valid to use DB settings instead of command line options. (For client side, it may not be possible to use DB settings since the standby nodes need to get the SSL parameters before connecting to the (active) DB). > > >> Just to clarify, for active-standby scenario, since we dont know who will became active server any time, it is safe to use same certs on all central nodes irrespective of which node is client or server.
Ok, thanks. It is clarified after discussion that we are combining the server side and client side ssl keys/certs to the same value for all central nodes in the active-standby setup. I didn't know that same settings actually work for both server and client, so it sounds good for me. _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
