[ovs-dev] [PATCH ovn 2/2] ovn: Add SNI support to ovn-nbctl and ovn-sbctl.

Mon, 20 Oct 2025 15:15:49 -0700 

This adds the case for OPT_SSL_SERVER_NAME in ovn-dbctl.c,
enabling --ssl-server-name support for ovn-nbctl and ovn-sbctl.

The --ssl-server-name option allows specifying the server name for TLS
Server Name Indication (SNI), which is useful when connecting through
proxies or service meshes.

Example usage:
ovn-nbctl --db=ssl:$ISTIO_GATEWAY_IP:6641 \
    --ssl-server-name=hv-171.ovsdb.provider.internal \
    --private-key=ovn-nbctl-client.key \
    --certificate=ovn-nbctl-client.crt \
    --ca-cert=ca.crt \
    list nb_global

The above command will connect to a istio proxy. Depending
on the configuration of istio proxy for SNI hv-171,
it can connect to a pod or a node in the kubernetes cluster.

Signed-off-by: Gurucharan Shetty <[email protected]>
---
 tests/ovn-nbctl.at    | 69 +++++++++++++++++++++++++++++++++++++++++++
 utilities/ovn-dbctl.c |  4 +++
 2 files changed, 73 insertions(+)

diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at
index 266789417..6a1814a2f 100644
--- a/tests/ovn-nbctl.at
+++ b/tests/ovn-nbctl.at
@@ -3335,3 +3335,72 @@ AT_CHECK([ovn-nbctl nf-list | uuidfilt], [0], [dnl
 AT_CHECK([ovn-nbctl nf-del nf2])
 AT_CHECK([ovn-nbctl nf-list | uuidfilt], [0], [])
 ])
+
+AT_SETUP([ovn-nbctl - TLS server name indication (SNI) with --ssl-server-name])
+AT_KEYWORDS([ovn-nbctl ssl tls sni client])
+AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
+
+# This test validates the --ssl-server-name option for SNI in ovn-nbctl.
+# Test 1: Connect to IP with --ssl-server-name to verify SNI override.
+# Test 2: Connect to same IP without --ssl-server-name (no SNI sent).
+
+# Create ovn-nb database
+AT_CHECK([ovsdb-tool create ovn-nb.db $abs_top_srcdir/ovn-nb.ovsschema])
+
+PKIDIR=$abs_top_builddir/tests
+AT_CAPTURE_FILE([ovsdb-server.log])
+on_exit 'kill $(cat ovsdb-server.pid)'
+
+# Start ovsdb-server with SSL and debug logging
+AT_CHECK([ovsdb-server --log-file --detach --no-chdir --pidfile \
+    --private-key=$PKIDIR/testpki-test-privkey.pem \
+    --certificate=$PKIDIR/testpki-test-cert.pem \
+    --ca-cert=$PKIDIR/testpki-cacert.pem \
+    --remote=pssl:0:127.0.0.1 \
+    -vstream_ssl:file:dbg ovn-nb.db], [0], [ignore], [ignore])
+PARSE_LISTENING_PORT([ovsdb-server.log], [SSL_PORT])
+
+# Initialize the database
+AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$SSL_PORT \
+    --private-key=$PKIDIR/testpki-test-privkey.pem \
+    --certificate=$PKIDIR/testpki-test-cert.pem \
+    --ca-cert=$PKIDIR/testpki-cacert.pem \
+    init])
+
+# Test 1: SNI override - connect to IP but specify server name.
+# This validates that --ssl-server-name overrides connection hostname.
+AT_CHECK([ovn-nbctl -t 5 \
+    --db=ssl:127.0.0.1:$SSL_PORT \
+    --private-key=$PKIDIR/testpki-test-privkey.pem \
+    --certificate=$PKIDIR/testpki-test-cert.pem \
+    --ca-cert=$PKIDIR/testpki-cacert.pem \
+    --ssl-server-name=sni-test.example \
+    ls-add test-ls])
+
+# Verify SNI was sent with the overridden name.
+OVS_WAIT_UNTIL([grep -q \
+    "connection indicated server name sni-test.example" \
+    ovsdb-server.log])
+
+# Save current log size for Test 2.
+LOG_SIZE=$(wc -l < ovsdb-server.log)
+
+# Test 2: Default behavior without SNI override - should NOT show SNI
+# connecting to IP address (no hostname to extract).
+AT_CHECK([ovn-nbctl -t 5 \
+    --db=ssl:127.0.0.1:$SSL_PORT \
+    --private-key=$PKIDIR/testpki-test-privkey.pem \
+    --certificate=$PKIDIR/testpki-test-cert.pem \
+    --ca-cert=$PKIDIR/testpki-cacert.pem \
+    ls-del test-ls])
+
+# Stop server to ensure logs are flushed before checking.
+AT_CHECK([ovs-appctl -t ovsdb-server exit])
+OVS_WAIT_WHILE([kill -0 $(cat ovsdb-server.pid) 2>/dev/null])
+
+# Check that no new SNI messages appeared in Test 2 (connecting to IP
+# without --ssl-server-name should not generate SNI).
+AT_CHECK([tail -n +$(($LOG_SIZE + 1)) ovsdb-server.log | \
+    grep -q "connection indicated server name"], [1])
+
+AT_CLEANUP
diff --git a/utilities/ovn-dbctl.c b/utilities/ovn-dbctl.c
index e9fa4da03..afa88a071 100644
--- a/utilities/ovn-dbctl.c
+++ b/utilities/ovn-dbctl.c
@@ -622,6 +622,10 @@ apply_options_direct(const struct ovn_dbctl_options 
*dbctl_options,
             stream_ssl_set_ciphersuites(optarg);
             break;
 
+        case OPT_SSL_SERVER_NAME:
+            stream_ssl_set_server_name(optarg);
+            break;
+
         case OPT_BOOTSTRAP_CA_CERT:
             stream_ssl_set_ca_cert_file(po->arg, true);
             break;
-- 
2.34.1

_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to