From patchwork Wed Jan 18 13:09:33 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gurucharan Shetty <guru@ovn.org>
X-Patchwork-Id: 716919
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
	[140.211.169.12])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 3v3jfj0HSCz9t23
	for <incoming@patchwork.ozlabs.org>;
	Thu, 19 Jan 2017 10:22:03 +1100 (AEDT)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
	by mail.linuxfoundation.org (Postfix) with ESMTP id 99D1FBD5;
	Wed, 18 Jan 2017 23:22:00 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
	[172.17.192.35])
	by mail.linuxfoundation.org (Postfix) with ESMTPS id 521A08A5
	for <dev@openvswitch.org>; Wed, 18 Jan 2017 23:22:00 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pf0-f194.google.com (mail-pf0-f194.google.com
	[209.85.192.194])
	by smtp1.linuxfoundation.org (Postfix) with ESMTPS id C46928C
	for <dev@openvswitch.org>; Wed, 18 Jan 2017 23:21:59 +0000 (UTC)
Received: by mail-pf0-f194.google.com with SMTP id f144so1953789pfa.2
	for <dev@openvswitch.org>; Wed, 18 Jan 2017 15:21:59 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id;
	bh=H7vKv3BE2UDPVUWip+pyc1s7pau2aETzAuh8K1xXDSQ=;
	b=fkaDer9N/CY5ZeUqUcphzbRz5eXfMr+c9S2I+JbBS47g8h9XXStuyHCx0Coi9f8tXc
	kwB5QYTBKCKGM87tMiWw/vzmcipgRCqMyzI0eacCyYCuJAKU9hszX9GLjOJlnm8UCr+T
	5ZEqk/llSqQdPS8Nownu3aGoiiqRPl13Jwy5FI5VSH51luSSsWc8hBNvmRvBx1McWPL2
	1+1sKIu6GFzBOifvKqDvMATPCEq4w9da4iETtKXleAFdXbj+uR1UqcPUhtPn0OJwb/wv
	p3YudeM8QQL7n87dqF92mnSaaaEz7PI2xPIQUwoU/tUHGIUSm7+PTJPSW/TCNdMV15A4
	JCvw==
X-Gm-Message-State: 
 AIkVDXJbK1VYIuTDR+Ww/9GVgEZt0sd0IQGFH+GC9GXfa5rrnN32+F1w4Mcz4yE7HWgAtw==
X-Received: by 10.84.139.36 with SMTP id 33mr8646308plq.61.1484781719235;
	Wed, 18 Jan 2017 15:21:59 -0800 (PST)
Received: from ubuntu.eng.vmware.com ([208.91.1.34])
	by smtp.gmail.com with ESMTPSA id
	z77sm3190744pfk.47.2017.01.18.15.21.58 for <dev@openvswitch.org>
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Wed, 18 Jan 2017 15:21:58 -0800 (PST)
From: Gurucharan Shetty <guru@ovn.org>
To: dev@openvswitch.org
Date: Wed, 18 Jan 2017 05:09:33 -0800
Message-Id: <1484744973-11488-1-git-send-email-guru@ovn.org>
X-Mailer: git-send-email 1.9.1
X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00, DATE_IN_PAST_06_12,
	FREEMAIL_FROM,RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	smtp1.linux-foundation.org
Subject: [ovs-dev] [PATCH] ovn-nbctl: Ability to bootstrap CA certificate.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
	<mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
MIME-Version: 1.0
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org

Utilities like ovs-vsctl have the ability to bootstrap
CA certificate.  It looks useful for ovn-nbctl to have
the same ability too.  One could connect over to OVN NB
database over SSL for transactions without having to
copy over the certificate being used by ovsdb-server
backing OVN NB.

Signed-off-by: Gurucharan Shetty <guru@ovn.org>
Acked-by: Lance Richardson <lrichard@redhat.com>
Acked-by: Ben Pfaff <blp@ovn.org>
---
 lib/automake.mk               |  1 +
 lib/ssl-bootstrap.xml         | 30 ++++++++++++++++++++++++++++++
 ovn/utilities/ovn-nbctl.8.xml |  1 +
 ovn/utilities/ovn-nbctl.c     |  6 ++++++
 4 files changed, 38 insertions(+)
 create mode 100644 lib/ssl-bootstrap.xml

diff --git a/lib/automake.mk b/lib/automake.mk
index b03dd2d..b1adfce 100644
--- a/lib/automake.mk
+++ b/lib/automake.mk
@@ -441,6 +441,7 @@ EXTRA_DIST += \
 	lib/dirs.c.in \
 	lib/db-ctl-base.xml \
 	lib/ssl.xml \
+	lib/ssl-bootstrap.xml \
 	lib/vlog.xml
 
 MAN_FRAGMENTS += \
diff --git a/lib/ssl-bootstrap.xml b/lib/ssl-bootstrap.xml
new file mode 100644
index 0000000..5fd68e0
--- /dev/null
+++ b/lib/ssl-bootstrap.xml
@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="utf-8"?>
+<dl>
+  <dt><code>--bootstrap-ca-cert=</code><var>cacert.pem</var></dt>
+  <dd>
+    <p>
+      When <var>cacert.pem</var> exists, this option has the same effect
+      as <code>-C</code> or <code>--ca-cert</code>. If it does not exist,
+      then the executable will attempt to obtain the CA certificate from the
+      SSL peer on its first SSL connection and save it to the named PEM
+      file.  If it is successful, it will immediately drop the connection
+      and reconnect, and from then on all SSL connections must be
+      authenticated by a certificate signed by the CA certificate thus
+      obtained.
+    </p>
+    <p>
+      This option exposes the SSL connection to a man-in-the-middle
+      attack obtaining the initial CA certificate, but it may be useful
+      for bootstrapping.      
+    </p>
+    <p>
+      This option is only useful if the SSL peer sends its CA certificate as
+      part of the SSL certificate chain.  The SSL protocol does not require
+      the server to send the CA certificate.
+    </p>
+    <p>
+      This option is mutually exclusive with <code>-C</code> and
+      <code>--ca-cert</code>.
+    </p>
+  </dd>
+</dl>
diff --git a/ovn/utilities/ovn-nbctl.8.xml b/ovn/utilities/ovn-nbctl.8.xml
index 4911c6a..f95b88d 100644
--- a/ovn/utilities/ovn-nbctl.8.xml
+++ b/ovn/utilities/ovn-nbctl.8.xml
@@ -829,6 +829,7 @@
       database.
     </p>
     <xi:include href="lib/ssl.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
+    <xi:include href="lib/ssl-bootstrap.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
 
     <h2>Other Options</h2>
 
diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
index 4397daf..f0ff27a 100644
--- a/ovn/utilities/ovn-nbctl.c
+++ b/ovn/utilities/ovn-nbctl.c
@@ -165,6 +165,7 @@ parse_options(int argc, char *argv[], struct shash *local_options)
         OPT_LOCAL,
         OPT_COMMANDS,
         OPT_OPTIONS,
+        OPT_BOOTSTRAP_CA_CERT,
         VLOG_OPTION_ENUMS,
         TABLE_OPTION_ENUMS,
         SSL_OPTION_ENUMS,
@@ -183,6 +184,7 @@ parse_options(int argc, char *argv[], struct shash *local_options)
         {"version", no_argument, NULL, 'V'},
         VLOG_LONG_OPTIONS,
         STREAM_SSL_LONG_OPTIONS,
+        {"bootstrap-ca-cert", required_argument, NULL, OPT_BOOTSTRAP_CA_CERT},
         TABLE_LONG_OPTIONS,
         {NULL, 0, NULL, 0},
     };
@@ -286,6 +288,10 @@ parse_options(int argc, char *argv[], struct shash *local_options)
         TABLE_OPTION_HANDLERS(&table_style)
         STREAM_SSL_OPTION_HANDLERS
 
+        case OPT_BOOTSTRAP_CA_CERT:
+            stream_ssl_set_ca_cert_file(optarg, true);
+            break;
+
         case '?':
             exit(EXIT_FAILURE);