[ovs-discuss] SSL Configuration

OVSUser at centrum.cz OVSUser at centrum.cz
Sat Apr 5 02:18:46 UTC 2014 

I did some discussion here:
https://lists.opendaylight.org/pipermail/controller-dev/2014-April/003504.html
But still did not manage to make it work.
I followed instructions in INSTALL.SSL (Here: https://github.com/homework/openvswitch/blob/master/INSTALL.SSL )
and ran these commands to configure SSL and find out what's wrong with it:
 
mininet> s1 ovs-vsctl del-controller "s1"
mininet> s1 ovs-vsctl set-controller "s1" "ssl:127.0.0.1"
mininet> s1 ovs-vsctl list controllers
ovs-vsctl: unknown table "controllers"
mininet> s1 ovs-vsctl list controller
_uuid               : 7f00b252-c018-471c-9ecc-567b8cae2293
connection_mode     : []
controller_burst_limit: []
controller_rate_limit: []
enable_async_messages: []
external_ids        : {}
inactivity_probe    : []
is_connected        : false
local_gateway       : []
local_ip            : []
local_netmask       : []
max_backoff         : []
other_config        : {}
role                : other
status              : {last_error="Protocol not available", state=BACKOFF}
target              : "ssl:127.0.0.1"
 
 
 
I also viewed /var/log/openvswitch/ovs-vswitchd.log and seen messages like these:
 
2014-04-05T01:51:58.391Z|00135|stream_ssl|ERR|Private key must be configured to use SSL
2014-04-05T01:51:58.391Z|00136|stream_ssl|ERR|Certificate must be configured to use SSL
2014-04-05T01:51:58.391Z|00137|rconn|WARN|s1<->ssl:127.0.0.1: connection failed (Protocol not available)
 
I don't know what did I do wrong, when following INSTALL.SSL instructions. Can you help me?
 
In this file: http://openvswitch.org/cgi-bin/ovsman.cgi?page=utilities%2Fovs-vsctl.8
in part SSL Configuration I found these lines.
 
When ovs−vswitchd is configured to connect over SSL for management or controller connectivity, the following parameters are required:
 private-key
 Specifies a PEM file containing the private key used as the virtual switch’s identity for SSL connections to the controller.
 certificate
 Specifies a PEM file containing a certificate, signed by the certificate authority (CA) used by the controller and manager, that certifies the virtual switch’s private key, identifying a trustworthy switch.
 ca-cert
 Specifies a PEM file containing the CA certificate used to verify that the virtual switch is connected to a trustworthy controller.
 These files are read only once, at ovs−vswitchd startup time. If their contents change, ovs−vswitchd must be killed and restarted.
 
 
However those files already exist. Does the switch really read them when starting? If not, how can I make it to do so?
 
______________________________________________________________
> Od: <OVSUser at centrum.cz>
> Komu: Justin Pettit <jpettit at nicira.com>
> Datum: 02.04.2014 23:57
> Předmět: Re: [ovs-discuss] SSL Configuration
>
> CC: discuss at openvswitch.org
Sure. I agree that this is probably a configuration issue. This is my current config. Now I am trying to use controller on the localhost. However I am not sure if this is all necessary info to find out what's wrong with it.

8625e529-b120-425d-ae73-39757be6e38b
    Manager "ptcp:6640"
    Bridge "s1"
        Controller "ssl:127.0.0.1"
        Controller "pssl:6634"
        fail_mode: secure
        Port "s1"
            Interface "s1"
                type: internal
        Port "s1-eth2"
            Interface "s1-eth2"
        Port "s1-eth1"
            Interface "s1-eth1"
    ovs_version: "2.0.0"



______________________________________________________________
> Od: Justin Pettit <jpettit at nicira.com>
> Komu: <OVSUser at centrum.cz>
> Datum: 31.03.2014 23:00
> Předmět: Re: [ovs-discuss] SSL Configuration
>
> CC: discuss at openvswitch.org
You'd need to provide more information.  SSL is normally used to connect 
switches to controllers, so I'd be surprised if it is not a 
configuration issue.

--Justin


OVSUser at centrum.cz wrote:
> Thank you. But is that all? Now controller is not flooded with OF Hello messages, but I still do not detect TLS handshake.
> ______________________________________________________________
>> Od: Justin Pettit<jpettit at nicira.com>
>> Komu:<OVSUser at centrum.cz>
>> Datum: 27.03.2014 05:19
>> Předmět: Re: [ovs-discuss] SSL Configuration
>>
>> CC: discuss at openvswitch.org
> OVSUser at centrum.cz wrote:
>
>> I have noticed that it is still configured to use tcp. How can I change
>> that?
>
>        ovs-vsctl del-controller s2
>       ovs-vsctl set-controller s2 "ssl:192.168.56.101"
>
> --Justin


----------

_______________________________________________
discuss mailing list
discuss at openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss <http://openvswitch.org/mailman/listinfo/discuss>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20140405/f0a238f8/attachment-0002.html>

More information about the discuss mailing list