[ovs-dev] ovn-nbctl: Ability to bootstrap CA certificate.
diff mbox

Message ID 1484744973-11488-1-git-send-email-guru@ovn.org
State Accepted
Headers show

Commit Message

Guru Shetty Jan. 18, 2017, 1:09 p.m. UTC
Utilities like ovs-vsctl have the ability to bootstrap
CA certificate.  It looks useful for ovn-nbctl to have
the same ability too.  One could connect over to OVN NB
database over SSL for transactions without having to
copy over the certificate being used by ovsdb-server
backing OVN NB.

Signed-off-by: Gurucharan Shetty <guru@ovn.org>
---
 lib/automake.mk               |  1 +
 lib/ssl-bootstrap.xml         | 30 ++++++++++++++++++++++++++++++
 ovn/utilities/ovn-nbctl.8.xml |  1 +
 ovn/utilities/ovn-nbctl.c     |  6 ++++++
 4 files changed, 38 insertions(+)
 create mode 100644 lib/ssl-bootstrap.xml

Comments

Lance Richardson Jan. 18, 2017, 11:32 p.m. UTC | #1
> From: "Gurucharan Shetty" <guru@ovn.org>
> To: dev@openvswitch.org
> Sent: Wednesday, January 18, 2017 8:09:33 AM
> Subject: [ovs-dev] [PATCH] ovn-nbctl: Ability to bootstrap CA certificate.
> 
> Utilities like ovs-vsctl have the ability to bootstrap
> CA certificate.  It looks useful for ovn-nbctl to have
> the same ability too.  One could connect over to OVN NB
> database over SSL for transactions without having to
> copy over the certificate being used by ovsdb-server
> backing OVN NB.
> 
> Signed-off-by: Gurucharan Shetty <guru@ovn.org>
> ---
LGTM.

Acked-by: Lance Richardson <lrichard@redhat.com>
Ben Pfaff Jan. 19, 2017, 12:51 a.m. UTC | #2
On Wed, Jan 18, 2017 at 05:09:33AM -0800, Gurucharan Shetty wrote:
> Utilities like ovs-vsctl have the ability to bootstrap
> CA certificate.  It looks useful for ovn-nbctl to have
> the same ability too.  One could connect over to OVN NB
> database over SSL for transactions without having to
> copy over the certificate being used by ovsdb-server
> backing OVN NB.
> 
> Signed-off-by: Gurucharan Shetty <guru@ovn.org>

Seems like a good idea.

Acked-by: Ben Pfaff <blp@ovn.org>

Patch
diff mbox

diff --git a/lib/automake.mk b/lib/automake.mk
index b03dd2d..b1adfce 100644
--- a/lib/automake.mk
+++ b/lib/automake.mk
@@ -441,6 +441,7 @@  EXTRA_DIST += \
 	lib/dirs.c.in \
 	lib/db-ctl-base.xml \
 	lib/ssl.xml \
+	lib/ssl-bootstrap.xml \
 	lib/vlog.xml
 
 MAN_FRAGMENTS += \
diff --git a/lib/ssl-bootstrap.xml b/lib/ssl-bootstrap.xml
new file mode 100644
index 0000000..5fd68e0
--- /dev/null
+++ b/lib/ssl-bootstrap.xml
@@ -0,0 +1,30 @@ 
+<?xml version="1.0" encoding="utf-8"?>
+<dl>
+  <dt><code>--bootstrap-ca-cert=</code><var>cacert.pem</var></dt>
+  <dd>
+    <p>
+      When <var>cacert.pem</var> exists, this option has the same effect
+      as <code>-C</code> or <code>--ca-cert</code>. If it does not exist,
+      then the executable will attempt to obtain the CA certificate from the
+      SSL peer on its first SSL connection and save it to the named PEM
+      file.  If it is successful, it will immediately drop the connection
+      and reconnect, and from then on all SSL connections must be
+      authenticated by a certificate signed by the CA certificate thus
+      obtained.
+    </p>
+    <p>
+      This option exposes the SSL connection to a man-in-the-middle
+      attack obtaining the initial CA certificate, but it may be useful
+      for bootstrapping.      
+    </p>
+    <p>
+      This option is only useful if the SSL peer sends its CA certificate as
+      part of the SSL certificate chain.  The SSL protocol does not require
+      the server to send the CA certificate.
+    </p>
+    <p>
+      This option is mutually exclusive with <code>-C</code> and
+      <code>--ca-cert</code>.
+    </p>
+  </dd>
+</dl>
diff --git a/ovn/utilities/ovn-nbctl.8.xml b/ovn/utilities/ovn-nbctl.8.xml
index 4911c6a..f95b88d 100644
--- a/ovn/utilities/ovn-nbctl.8.xml
+++ b/ovn/utilities/ovn-nbctl.8.xml
@@ -829,6 +829,7 @@ 
       database.
     </p>
     <xi:include href="lib/ssl.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
+    <xi:include href="lib/ssl-bootstrap.xml" xmlns:xi="http://www.w3.org/2003/XInclude"/>
 
     <h2>Other Options</h2>
 
diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
index 4397daf..f0ff27a 100644
--- a/ovn/utilities/ovn-nbctl.c
+++ b/ovn/utilities/ovn-nbctl.c
@@ -165,6 +165,7 @@  parse_options(int argc, char *argv[], struct shash *local_options)
         OPT_LOCAL,
         OPT_COMMANDS,
         OPT_OPTIONS,
+        OPT_BOOTSTRAP_CA_CERT,
         VLOG_OPTION_ENUMS,
         TABLE_OPTION_ENUMS,
         SSL_OPTION_ENUMS,
@@ -183,6 +184,7 @@  parse_options(int argc, char *argv[], struct shash *local_options)
         {"version", no_argument, NULL, 'V'},
         VLOG_LONG_OPTIONS,
         STREAM_SSL_LONG_OPTIONS,
+        {"bootstrap-ca-cert", required_argument, NULL, OPT_BOOTSTRAP_CA_CERT},
         TABLE_LONG_OPTIONS,
         {NULL, 0, NULL, 0},
     };
@@ -286,6 +288,10 @@  parse_options(int argc, char *argv[], struct shash *local_options)
         TABLE_OPTION_HANDLERS(&table_style)
         STREAM_SSL_OPTION_HANDLERS
 
+        case OPT_BOOTSTRAP_CA_CERT:
+            stream_ssl_set_ca_cert_file(optarg, true);
+            break;
+
         case '?':
             exit(EXIT_FAILURE);