Re: [ovs-dev] [PATCH] ovn-nbctl: Ability to bootstrap CA certificate.

2017-01-18 Thread Ben Pfaff 
On Wed, Jan 18, 2017 at 05:09:33AM -0800, Gurucharan Shetty wrote:
> Utilities like ovs-vsctl have the ability to bootstrap
> CA certificate.  It looks useful for ovn-nbctl to have
> the same ability too.  One could connect over to OVN NB
> database over SSL for transactions without having to
> copy over the certificate being used by ovsdb-server
> backing OVN NB.
> 
> Signed-off-by: Gurucharan Shetty 

Seems like a good idea.

Acked-by: Ben Pfaff 
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH] ovn-nbctl: Ability to bootstrap CA certificate.

2017-01-18 Thread Lance Richardson 
> From: "Gurucharan Shetty" <g...@ovn.org>
> To: d...@openvswitch.org
> Sent: Wednesday, January 18, 2017 8:09:33 AM
> Subject: [ovs-dev] [PATCH] ovn-nbctl: Ability to bootstrap CA certificate.
> 
> Utilities like ovs-vsctl have the ability to bootstrap
> CA certificate.  It looks useful for ovn-nbctl to have
> the same ability too.  One could connect over to OVN NB
> database over SSL for transactions without having to
> copy over the certificate being used by ovsdb-server
> backing OVN NB.
> 
> Signed-off-by: Gurucharan Shetty <g...@ovn.org>
> ---
LGTM.

Acked-by: Lance Richardson <lrich...@redhat.com>
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH] ovn-nbctl: Ability to bootstrap CA certificate.

2017-01-18 Thread Gurucharan Shetty 
Utilities like ovs-vsctl have the ability to bootstrap
CA certificate.  It looks useful for ovn-nbctl to have
the same ability too.  One could connect over to OVN NB
database over SSL for transactions without having to
copy over the certificate being used by ovsdb-server
backing OVN NB.

Signed-off-by: Gurucharan Shetty 
---
 lib/automake.mk   |  1 +
 lib/ssl-bootstrap.xml | 30 ++
 ovn/utilities/ovn-nbctl.8.xml |  1 +
 ovn/utilities/ovn-nbctl.c |  6 ++
 4 files changed, 38 insertions(+)
 create mode 100644 lib/ssl-bootstrap.xml

diff --git a/lib/automake.mk b/lib/automake.mk
index b03dd2d..b1adfce 100644
--- a/lib/automake.mk
+++ b/lib/automake.mk
@@ -441,6 +441,7 @@ EXTRA_DIST += \
lib/dirs.c.in \
lib/db-ctl-base.xml \
lib/ssl.xml \
+   lib/ssl-bootstrap.xml \
lib/vlog.xml
 
 MAN_FRAGMENTS += \
diff --git a/lib/ssl-bootstrap.xml b/lib/ssl-bootstrap.xml
new file mode 100644
index 000..5fd68e0
--- /dev/null
+++ b/lib/ssl-bootstrap.xml
@@ -0,0 +1,30 @@
+
+
+  --bootstrap-ca-cert=cacert.pem
+  
+
+  When cacert.pem exists, this option has the same effect
+  as -C or --ca-cert. If it does not exist,
+  then the executable will attempt to obtain the CA certificate from the
+  SSL peer on its first SSL connection and save it to the named PEM
+  file.  If it is successful, it will immediately drop the connection
+  and reconnect, and from then on all SSL connections must be
+  authenticated by a certificate signed by the CA certificate thus
+  obtained.
+
+
+  This option exposes the SSL connection to a man-in-the-middle
+  attack obtaining the initial CA certificate, but it may be useful
+  for bootstrapping.  
+
+
+  This option is only useful if the SSL peer sends its CA certificate as
+  part of the SSL certificate chain.  The SSL protocol does not require
+  the server to send the CA certificate.
+
+
+  This option is mutually exclusive with -C and
+  --ca-cert.
+
+  
+
diff --git a/ovn/utilities/ovn-nbctl.8.xml b/ovn/utilities/ovn-nbctl.8.xml
index 4911c6a..f95b88d 100644
--- a/ovn/utilities/ovn-nbctl.8.xml
+++ b/ovn/utilities/ovn-nbctl.8.xml
@@ -829,6 +829,7 @@
   database.
 
 http://www.w3.org/2003/XInclude"/>
+http://www.w3.org/2003/XInclude"/>
 
 Other Options
 
diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
index 4397daf..f0ff27a 100644
--- a/ovn/utilities/ovn-nbctl.c
+++ b/ovn/utilities/ovn-nbctl.c
@@ -165,6 +165,7 @@ parse_options(int argc, char *argv[], struct shash 
*local_options)
 OPT_LOCAL,
 OPT_COMMANDS,
 OPT_OPTIONS,
+OPT_BOOTSTRAP_CA_CERT,
 VLOG_OPTION_ENUMS,
 TABLE_OPTION_ENUMS,
 SSL_OPTION_ENUMS,
@@ -183,6 +184,7 @@ parse_options(int argc, char *argv[], struct shash 
*local_options)
 {"version", no_argument, NULL, 'V'},
 VLOG_LONG_OPTIONS,
 STREAM_SSL_LONG_OPTIONS,
+{"bootstrap-ca-cert", required_argument, NULL, OPT_BOOTSTRAP_CA_CERT},
 TABLE_LONG_OPTIONS,
 {NULL, 0, NULL, 0},
 };
@@ -286,6 +288,10 @@ parse_options(int argc, char *argv[], struct shash 
*local_options)
 TABLE_OPTION_HANDLERS(_style)
 STREAM_SSL_OPTION_HANDLERS
 
+case OPT_BOOTSTRAP_CA_CERT:
+stream_ssl_set_ca_cert_file(optarg, true);
+break;
+
 case '?':
 exit(EXIT_FAILURE);
 
-- 
1.9.1

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev