[ovs-discuss] enforce TLSv1.2 in OVN
dholler at redhat.com
Tue Jun 6 15:30:07 UTC 2017
We want to ensure that OVN uses only TLSv1.2, but not TLSv1 or TLSv1.1
in our scenario.
There are multiple connection, identified to be relevant:
- The tunneling data connection between the hypervisors/chassis, like
geneve listening on UDP port 6081.
- The meta data connections:
- The connections to the OVN Southbound DB, which is hosted by
ovsdb-server and listening typically TCP port 6642. Connections
may be initiated by from the ovn-controllers and ovn-northd.
- The connections to the OVN Northbound DB, which is hosted by
ovsdb-server and listening typically on TCP port 6641. Connections
may be initiated by the Cloud Management System and ovn-northd.
Is it correct that encryption is not supported at all for the tunneling
For the meta data connections ovsdb-server acts as the server.
ovsdb-server has the command line option --ssl-protocols, but I do not
understand how to apply this. ovsdb-server seems to be started by
ovn-ctl, but I do not recognize a way to utilize ovn-ctl to
pass the --ssl-protocols option.
How should the --ssl-protocols option passed to ovsdb-server?
Thanks and regards
More information about the discuss