Utilities like ovs-vsctl have the ability to bootstrap
CA certificate. It looks useful for ovn-nbctl to have
the same ability too. One could connect over to OVN NB
database over SSL for transactions without having to
copy over the certificate being used by ovsdb-server
backing OVN NB.
Signed-off-by: Gurucharan Shetty
---
lib/automake.mk | 1 +
lib/ssl-bootstrap.xml | 30 ++
ovn/utilities/ovn-nbctl.8.xml | 1 +
ovn/utilities/ovn-nbctl.c | 6 ++
4 files changed, 38 insertions(+)
create mode 100644 lib/ssl-bootstrap.xml
diff --git a/lib/automake.mk b/lib/automake.mk
index b03dd2d..b1adfce 100644
--- a/lib/automake.mk
+++ b/lib/automake.mk
@@ -441,6 +441,7 @@ EXTRA_DIST += \
lib/dirs.c.in \
lib/db-ctl-base.xml \
lib/ssl.xml \
+ lib/ssl-bootstrap.xml \
lib/vlog.xml
MAN_FRAGMENTS += \
diff --git a/lib/ssl-bootstrap.xml b/lib/ssl-bootstrap.xml
new file mode 100644
index 000..5fd68e0
--- /dev/null
+++ b/lib/ssl-bootstrap.xml
@@ -0,0 +1,30 @@
+
+
+ --bootstrap-ca-cert=cacert.pem
+
+
+ When cacert.pem exists, this option has the same effect
+ as -C or --ca-cert. If it does not exist,
+ then the executable will attempt to obtain the CA certificate from the
+ SSL peer on its first SSL connection and save it to the named PEM
+ file. If it is successful, it will immediately drop the connection
+ and reconnect, and from then on all SSL connections must be
+ authenticated by a certificate signed by the CA certificate thus
+ obtained.
+
+
+ This option exposes the SSL connection to a man-in-the-middle
+ attack obtaining the initial CA certificate, but it may be useful
+ for bootstrapping.
+
+
+ This option is only useful if the SSL peer sends its CA certificate as
+ part of the SSL certificate chain. The SSL protocol does not require
+ the server to send the CA certificate.
+
+
+ This option is mutually exclusive with -C and
+ --ca-cert.
+
+
+
diff --git a/ovn/utilities/ovn-nbctl.8.xml b/ovn/utilities/ovn-nbctl.8.xml
index 4911c6a..f95b88d 100644
--- a/ovn/utilities/ovn-nbctl.8.xml
+++ b/ovn/utilities/ovn-nbctl.8.xml
@@ -829,6 +829,7 @@
database.
http://www.w3.org/2003/XInclude"/>
+http://www.w3.org/2003/XInclude"/>
Other Options
diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
index 4397daf..f0ff27a 100644
--- a/ovn/utilities/ovn-nbctl.c
+++ b/ovn/utilities/ovn-nbctl.c
@@ -165,6 +165,7 @@ parse_options(int argc, char *argv[], struct shash
*local_options)
OPT_LOCAL,
OPT_COMMANDS,
OPT_OPTIONS,
+OPT_BOOTSTRAP_CA_CERT,
VLOG_OPTION_ENUMS,
TABLE_OPTION_ENUMS,
SSL_OPTION_ENUMS,
@@ -183,6 +184,7 @@ parse_options(int argc, char *argv[], struct shash
*local_options)
{"version", no_argument, NULL, 'V'},
VLOG_LONG_OPTIONS,
STREAM_SSL_LONG_OPTIONS,
+{"bootstrap-ca-cert", required_argument, NULL, OPT_BOOTSTRAP_CA_CERT},
TABLE_LONG_OPTIONS,
{NULL, 0, NULL, 0},
};
@@ -286,6 +288,10 @@ parse_options(int argc, char *argv[], struct shash
*local_options)
TABLE_OPTION_HANDLERS(_style)
STREAM_SSL_OPTION_HANDLERS
+case OPT_BOOTSTRAP_CA_CERT:
+stream_ssl_set_ca_cert_file(optarg, true);
+break;
+
case '?':
exit(EXIT_FAILURE);
--
1.9.1
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev