[ovs-discuss] Configuring Open vSwitch for SSL - Question about using switch certificate authority method
Ben Pfaff
blp at ovn.org
Mon Jan 11 17:29:39 UTC 2016
On Wed, Jan 06, 2016 at 04:38:37PM +0000, Tandulwadkar, Sanket Ravindra (Sanket Ravindra) wrote:
> I wanted to know what channel is used by OvS to fetch the CA
> certificate from the controller in bootstrap mode? Is it over SSL, OF,
> TCP or something else?
It obtains the CA certificate from the SSL connection. The
documentation in the manpage tries to explain this:
--bootstrap-ca-cert=cacert.pem
When cacert.pem exists, this option has the same effect as -C or
--ca-cert. If it does not exist, then ovs-vsctl will attempt to
obtain the CA certificate from the SSL peer on its first SSL
connection and save it to the named PEM file. If it is success‐
ful, it will immediately drop the connection and reconnect, and
from then on all SSL connections must be authenticated by a cer‐
tificate signed by the CA certificate thus obtained.
This option exposes the SSL connection to a man-in-the-middle
attack obtaining the initial CA certificate, but it may be use‐
ful for bootstrapping.
This option is only useful if the SSL peer sends its CA certifi‐
cate as part of the SSL certificate chain. The SSL protocol
does not require the server to send the CA certificate.
This option is mutually exclusive with -C and --ca-cert.
> Also, I am trying to understand the need of having this CA certificate on OvS.
>
> My current scenario -
> I have a northbound application on top of my controller who signs the OvS certificate. When the certificate is signed and sent back, I am setting the certificates on OvS and establishing the SSL connection. On my controller, I am using OpenDaylight and storing the same CAcert that signs the OvS certificate in truststore.jks file which maintains the OvS keys or CAcert depending on the way we use OvS.
>
> I was wondering why is the CAcert being pulled by OvS if it is signed by the same CAcert preset in the ODL truststrore.jks.
You don't have to use the bootstrap feature. In fact, if you already
have the correct CA certificate on the OVS host, then you shouldn't use
it.
More information about the discuss
mailing list