@@ -441,6 +441,7 @@ EXTRA_DIST += \
lib/dirs.c.in \
lib/db-ctl-base.xml \
lib/ssl.xml \
+ lib/ssl-bootstrap.xml \
lib/vlog.xml
MAN_FRAGMENTS += \
new file mode 100644
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dl>
+ <dt><code>--bootstrap-ca-cert=</code><var>cacert.pem</var></dt>
+ <dd>
+ <p>
+ When <var>cacert.pem</var> exists, this option has the same effect
+ as <code>-C</code> or <code>--ca-cert</code>. If it does not exist,
+ then the executable will attempt to obtain the CA certificate from the
+ SSL peer on its first SSL connection and save it to the named PEM
+ file. If it is successful, it will immediately drop the connection
+ and reconnect, and from then on all SSL connections must be
+ authenticated by a certificate signed by the CA certificate thus
+ obtained.
+ </p>
+ <p>
+ This option exposes the SSL connection to a man-in-the-middle
+ attack obtaining the initial CA certificate, but it may be useful
+ for bootstrapping.
+ </p>
+ <p>
+ This option is only useful if the SSL peer sends its CA certificate as
+ part of the SSL certificate chain. The SSL protocol does not require
+ the server to send the CA certificate.
+ </p>
+ <p>
+ This option is mutually exclusive with <code>-C</code> and
+ <code>--ca-cert</code>.
+ </p>
+ </dd>
+</dl>
@@ -829,6 +829,7 @@
database.
</p>
<xi:include href="lib/ssl.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
+ <xi:include href="lib/ssl-bootstrap.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
<h2>Other Options</h2>
@@ -165,6 +165,7 @@ parse_options(int argc, char *argv[], struct shash *local_options)
OPT_LOCAL,
OPT_COMMANDS,
OPT_OPTIONS,
+ OPT_BOOTSTRAP_CA_CERT,
VLOG_OPTION_ENUMS,
TABLE_OPTION_ENUMS,
SSL_OPTION_ENUMS,
@@ -183,6 +184,7 @@ parse_options(int argc, char *argv[], struct shash *local_options)
{"version", no_argument, NULL, 'V'},
VLOG_LONG_OPTIONS,
STREAM_SSL_LONG_OPTIONS,
+ {"bootstrap-ca-cert", required_argument, NULL, OPT_BOOTSTRAP_CA_CERT},
TABLE_LONG_OPTIONS,
{NULL, 0, NULL, 0},
};
@@ -286,6 +288,10 @@ parse_options(int argc, char *argv[], struct shash *local_options)
TABLE_OPTION_HANDLERS(&table_style)
STREAM_SSL_OPTION_HANDLERS
+ case OPT_BOOTSTRAP_CA_CERT:
+ stream_ssl_set_ca_cert_file(optarg, true);
+ break;
+
case '?':
exit(EXIT_FAILURE);
Utilities like ovs-vsctl have the ability to bootstrap CA certificate. It looks useful for ovn-nbctl to have the same ability too. One could connect over to OVN NB database over SSL for transactions without having to copy over the certificate being used by ovsdb-server backing OVN NB. Signed-off-by: Gurucharan Shetty <guru@ovn.org> --- lib/automake.mk | 1 + lib/ssl-bootstrap.xml | 30 ++++++++++++++++++++++++++++++ ovn/utilities/ovn-nbctl.8.xml | 1 + ovn/utilities/ovn-nbctl.c | 6 ++++++ 4 files changed, 38 insertions(+) create mode 100644 lib/ssl-bootstrap.xml