From patchwork Wed Jan 18 13:09:33 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Gurucharan Shetty
X-Patchwork-Id: 716919
Return-Path:
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from mail.linuxfoundation.org (mail.linuxfoundation.org
[140.211.169.12])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
bits)) (No client certificate requested)
by ozlabs.org (Postfix) with ESMTPS id 3v3jfj0HSCz9t23
for ;
Thu, 19 Jan 2017 10:22:03 +1100 (AEDT)
Received: from mail.linux-foundation.org (localhost [127.0.0.1])
by mail.linuxfoundation.org (Postfix) with ESMTP id 99D1FBD5;
Wed, 18 Jan 2017 23:22:00 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@mail.linuxfoundation.org
Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org
[172.17.192.35])
by mail.linuxfoundation.org (Postfix) with ESMTPS id 521A08A5
for ; Wed, 18 Jan 2017 23:22:00 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.7.6
Received: from mail-pf0-f194.google.com (mail-pf0-f194.google.com
[209.85.192.194])
by smtp1.linuxfoundation.org (Postfix) with ESMTPS id C46928C
for ; Wed, 18 Jan 2017 23:21:59 +0000 (UTC)
Received: by mail-pf0-f194.google.com with SMTP id f144so1953789pfa.2
for ; Wed, 18 Jan 2017 15:21:59 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20161025;
h=x-gm-message-state:from:to:subject:date:message-id;
bh=H7vKv3BE2UDPVUWip+pyc1s7pau2aETzAuh8K1xXDSQ=;
b=fkaDer9N/CY5ZeUqUcphzbRz5eXfMr+c9S2I+JbBS47g8h9XXStuyHCx0Coi9f8tXc
kwB5QYTBKCKGM87tMiWw/vzmcipgRCqMyzI0eacCyYCuJAKU9hszX9GLjOJlnm8UCr+T
5ZEqk/llSqQdPS8Nownu3aGoiiqRPl13Jwy5FI5VSH51luSSsWc8hBNvmRvBx1McWPL2
1+1sKIu6GFzBOifvKqDvMATPCEq4w9da4iETtKXleAFdXbj+uR1UqcPUhtPn0OJwb/wv
p3YudeM8QQL7n87dqF92mnSaaaEz7PI2xPIQUwoU/tUHGIUSm7+PTJPSW/TCNdMV15A4
JCvw==
X-Gm-Message-State:
AIkVDXJbK1VYIuTDR+Ww/9GVgEZt0sd0IQGFH+GC9GXfa5rrnN32+F1w4Mcz4yE7HWgAtw==
X-Received: by 10.84.139.36 with SMTP id 33mr8646308plq.61.1484781719235;
Wed, 18 Jan 2017 15:21:59 -0800 (PST)
Received: from ubuntu.eng.vmware.com ([208.91.1.34])
by smtp.gmail.com with ESMTPSA id
z77sm3190744pfk.47.2017.01.18.15.21.58 for
(version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
Wed, 18 Jan 2017 15:21:58 -0800 (PST)
From: Gurucharan Shetty
To: dev@openvswitch.org
Date: Wed, 18 Jan 2017 05:09:33 -0800
Message-Id: <1484744973-11488-1-git-send-email-guru@ovn.org>
X-Mailer: git-send-email 1.9.1
X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00, DATE_IN_PAST_06_12,
FREEMAIL_FROM,RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
smtp1.linux-foundation.org
Subject: [ovs-dev] [PATCH] ovn-nbctl: Ability to bootstrap CA certificate.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id:
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
MIME-Version: 1.0
Sender: ovs-dev-bounces@openvswitch.org
Errors-To: ovs-dev-bounces@openvswitch.org
Utilities like ovs-vsctl have the ability to bootstrap
CA certificate. It looks useful for ovn-nbctl to have
the same ability too. One could connect over to OVN NB
database over SSL for transactions without having to
copy over the certificate being used by ovsdb-server
backing OVN NB.
Signed-off-by: Gurucharan Shetty
Acked-by: Lance Richardson
Acked-by: Ben Pfaff
---
lib/automake.mk | 1 +
lib/ssl-bootstrap.xml | 30 ++++++++++++++++++++++++++++++
ovn/utilities/ovn-nbctl.8.xml | 1 +
ovn/utilities/ovn-nbctl.c | 6 ++++++
4 files changed, 38 insertions(+)
create mode 100644 lib/ssl-bootstrap.xml
diff --git a/lib/automake.mk b/lib/automake.mk
index b03dd2d..b1adfce 100644
--- a/lib/automake.mk
+++ b/lib/automake.mk
@@ -441,6 +441,7 @@ EXTRA_DIST += \
lib/dirs.c.in \
lib/db-ctl-base.xml \
lib/ssl.xml \
+ lib/ssl-bootstrap.xml \
lib/vlog.xml
MAN_FRAGMENTS += \
diff --git a/lib/ssl-bootstrap.xml b/lib/ssl-bootstrap.xml
new file mode 100644
index 0000000..5fd68e0
--- /dev/null
+++ b/lib/ssl-bootstrap.xml
@@ -0,0 +1,30 @@
+
+
+ --bootstrap-ca-cert=
cacert.pem
+ -
+
+ When cacert.pem exists, this option has the same effect
+ as -C
or --ca-cert
. If it does not exist,
+ then the executable will attempt to obtain the CA certificate from the
+ SSL peer on its first SSL connection and save it to the named PEM
+ file. If it is successful, it will immediately drop the connection
+ and reconnect, and from then on all SSL connections must be
+ authenticated by a certificate signed by the CA certificate thus
+ obtained.
+
+
+ This option exposes the SSL connection to a man-in-the-middle
+ attack obtaining the initial CA certificate, but it may be useful
+ for bootstrapping.
+
+
+ This option is only useful if the SSL peer sends its CA certificate as
+ part of the SSL certificate chain. The SSL protocol does not require
+ the server to send the CA certificate.
+
+
+ This option is mutually exclusive with -C
and
+ --ca-cert
.
+
+
+
diff --git a/ovn/utilities/ovn-nbctl.8.xml b/ovn/utilities/ovn-nbctl.8.xml
index 4911c6a..f95b88d 100644
--- a/ovn/utilities/ovn-nbctl.8.xml
+++ b/ovn/utilities/ovn-nbctl.8.xml
@@ -829,6 +829,7 @@
database.
+
Other Options
diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
index 4397daf..f0ff27a 100644
--- a/ovn/utilities/ovn-nbctl.c
+++ b/ovn/utilities/ovn-nbctl.c
@@ -165,6 +165,7 @@ parse_options(int argc, char *argv[], struct shash *local_options)
OPT_LOCAL,
OPT_COMMANDS,
OPT_OPTIONS,
+ OPT_BOOTSTRAP_CA_CERT,
VLOG_OPTION_ENUMS,
TABLE_OPTION_ENUMS,
SSL_OPTION_ENUMS,
@@ -183,6 +184,7 @@ parse_options(int argc, char *argv[], struct shash *local_options)
{"version", no_argument, NULL, 'V'},
VLOG_LONG_OPTIONS,
STREAM_SSL_LONG_OPTIONS,
+ {"bootstrap-ca-cert", required_argument, NULL, OPT_BOOTSTRAP_CA_CERT},
TABLE_LONG_OPTIONS,
{NULL, 0, NULL, 0},
};
@@ -286,6 +288,10 @@ parse_options(int argc, char *argv[], struct shash *local_options)
TABLE_OPTION_HANDLERS(&table_style)
STREAM_SSL_OPTION_HANDLERS
+ case OPT_BOOTSTRAP_CA_CERT:
+ stream_ssl_set_ca_cert_file(optarg, true);
+ break;
+
case '?':
exit(EXIT_FAILURE);