[ovs-discuss] Configuring Open vSwitch for SSL - Question about using switch certificate authority method

Ben Pfaff blp at ovn.org
Mon Jan 11 17:29:39 UTC 2016 

On Wed, Jan 06, 2016 at 04:38:37PM +0000, Tandulwadkar, Sanket Ravindra (Sanket Ravindra) wrote:
> I wanted to know what channel is used by OvS to fetch the CA
> certificate from the controller in bootstrap mode? Is it over SSL, OF,
> TCP or something else?

It obtains the CA certificate from the SSL connection.  The
documentation in the manpage tries to explain this:

       --bootstrap-ca-cert=cacert.pem
              When cacert.pem exists, this option has the same effect as -C or
              --ca-cert.  If it does not exist, then ovs-vsctl will attempt to
              obtain  the  CA  certificate  from the SSL peer on its first SSL
              connection and save it to the named PEM file.  If it is success‐
              ful,  it will immediately drop the connection and reconnect, and
              from then on all SSL connections must be authenticated by a cer‐
              tificate signed by the CA certificate thus obtained.

              This  option  exposes  the SSL connection to a man-in-the-middle
              attack obtaining the initial CA certificate, but it may be  use‐
              ful for bootstrapping.

              This option is only useful if the SSL peer sends its CA certifi‐
              cate as part of the SSL certificate  chain.   The  SSL  protocol
              does not require the server to send the CA certificate.

              This option is mutually exclusive with -C and --ca-cert.


> Also, I am trying to understand the need of having this CA certificate on OvS.
> 
> My current scenario -
>                 I have a northbound application on top of my controller who signs the OvS certificate. When the certificate is signed and sent back, I am setting the certificates on OvS and establishing the SSL connection. On my controller, I am using OpenDaylight and storing the same CAcert that signs the OvS certificate in truststore.jks file which maintains the OvS keys or CAcert depending on the way we use OvS.
> 
> I was wondering why is the CAcert being pulled by OvS if it is signed by the same CAcert preset in the ODL truststrore.jks.

You don't have to use the bootstrap feature.  In fact, if you already
have the correct CA certificate on the OVS host, then you shouldn't use
it.

More information about the discuss mailing list