On Wed, Oct 22, 2025 at 2:10 PM Mark Michelson via dev <[email protected]> wrote: > > Thanks for this patch too, and thanks especially for adding a test! > > Acked-by: Mark Michelson <[email protected]>
Thanks Guru and Mark. I applied both the patches to the main. Numan > > On Mon, Oct 20, 2025 at 6:15 PM Gurucharan Shetty <[email protected]> wrote: > > > > This adds the case for OPT_SSL_SERVER_NAME in ovn-dbctl.c, > > enabling --ssl-server-name support for ovn-nbctl and ovn-sbctl. > > > > The --ssl-server-name option allows specifying the server name for TLS > > Server Name Indication (SNI), which is useful when connecting through > > proxies or service meshes. > > > > Example usage: > > ovn-nbctl --db=ssl:$ISTIO_GATEWAY_IP:6641 \ > > --ssl-server-name=hv-171.ovsdb.provider.internal \ > > --private-key=ovn-nbctl-client.key \ > > --certificate=ovn-nbctl-client.crt \ > > --ca-cert=ca.crt \ > > list nb_global > > > > The above command will connect to a istio proxy. Depending > > on the configuration of istio proxy for SNI hv-171, > > it can connect to a pod or a node in the kubernetes cluster. > > > > Signed-off-by: Gurucharan Shetty <[email protected]> > > --- > > tests/ovn-nbctl.at | 69 +++++++++++++++++++++++++++++++++++++++++++ > > utilities/ovn-dbctl.c | 4 +++ > > 2 files changed, 73 insertions(+) > > > > diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at > > index 266789417..6a1814a2f 100644 > > --- a/tests/ovn-nbctl.at > > +++ b/tests/ovn-nbctl.at > > @@ -3335,3 +3335,72 @@ AT_CHECK([ovn-nbctl nf-list | uuidfilt], [0], [dnl > > AT_CHECK([ovn-nbctl nf-del nf2]) > > AT_CHECK([ovn-nbctl nf-list | uuidfilt], [0], []) > > ]) > > + > > +AT_SETUP([ovn-nbctl - TLS server name indication (SNI) with > > --ssl-server-name]) > > +AT_KEYWORDS([ovn-nbctl ssl tls sni client]) > > +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) > > + > > +# This test validates the --ssl-server-name option for SNI in ovn-nbctl. > > +# Test 1: Connect to IP with --ssl-server-name to verify SNI override. > > +# Test 2: Connect to same IP without --ssl-server-name (no SNI sent). > > + > > +# Create ovn-nb database > > +AT_CHECK([ovsdb-tool create ovn-nb.db $abs_top_srcdir/ovn-nb.ovsschema]) > > + > > +PKIDIR=$abs_top_builddir/tests > > +AT_CAPTURE_FILE([ovsdb-server.log]) > > +on_exit 'kill $(cat ovsdb-server.pid)' > > + > > +# Start ovsdb-server with SSL and debug logging > > +AT_CHECK([ovsdb-server --log-file --detach --no-chdir --pidfile \ > > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > > + --certificate=$PKIDIR/testpki-test-cert.pem \ > > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > > + --remote=pssl:0:127.0.0.1 \ > > + -vstream_ssl:file:dbg ovn-nb.db], [0], [ignore], [ignore]) > > +PARSE_LISTENING_PORT([ovsdb-server.log], [SSL_PORT]) > > + > > +# Initialize the database > > +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$SSL_PORT \ > > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > > + --certificate=$PKIDIR/testpki-test-cert.pem \ > > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > > + init]) > > + > > +# Test 1: SNI override - connect to IP but specify server name. > > +# This validates that --ssl-server-name overrides connection hostname. > > +AT_CHECK([ovn-nbctl -t 5 \ > > + --db=ssl:127.0.0.1:$SSL_PORT \ > > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > > + --certificate=$PKIDIR/testpki-test-cert.pem \ > > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > > + --ssl-server-name=sni-test.example \ > > + ls-add test-ls]) > > + > > +# Verify SNI was sent with the overridden name. > > +OVS_WAIT_UNTIL([grep -q \ > > + "connection indicated server name sni-test.example" \ > > + ovsdb-server.log]) > > + > > +# Save current log size for Test 2. > > +LOG_SIZE=$(wc -l < ovsdb-server.log) > > + > > +# Test 2: Default behavior without SNI override - should NOT show SNI > > +# connecting to IP address (no hostname to extract). > > +AT_CHECK([ovn-nbctl -t 5 \ > > + --db=ssl:127.0.0.1:$SSL_PORT \ > > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > > + --certificate=$PKIDIR/testpki-test-cert.pem \ > > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > > + ls-del test-ls]) > > + > > +# Stop server to ensure logs are flushed before checking. > > +AT_CHECK([ovs-appctl -t ovsdb-server exit]) > > +OVS_WAIT_WHILE([kill -0 $(cat ovsdb-server.pid) 2>/dev/null]) > > + > > +# Check that no new SNI messages appeared in Test 2 (connecting to IP > > +# without --ssl-server-name should not generate SNI). > > +AT_CHECK([tail -n +$(($LOG_SIZE + 1)) ovsdb-server.log | \ > > + grep -q "connection indicated server name"], [1]) > > + > > +AT_CLEANUP > > diff --git a/utilities/ovn-dbctl.c b/utilities/ovn-dbctl.c > > index e9fa4da03..afa88a071 100644 > > --- a/utilities/ovn-dbctl.c > > +++ b/utilities/ovn-dbctl.c > > @@ -622,6 +622,10 @@ apply_options_direct(const struct ovn_dbctl_options > > *dbctl_options, > > stream_ssl_set_ciphersuites(optarg); > > break; > > > > + case OPT_SSL_SERVER_NAME: > > + stream_ssl_set_server_name(optarg); > > + break; > > + > > case OPT_BOOTSTRAP_CA_CERT: > > stream_ssl_set_ca_cert_file(po->arg, true); > > break; > > -- > > 2.34.1 > > > > _______________________________________________ > > dev mailing list > > [email protected] > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > > > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
