[ovs-discuss] [OVN][SSL] replacing ssl key and certs file at runtime has no effect on ovn-controller connection

Girish Moodalbail gmoodalbail at gmail.com
Fri Dec 11 17:54:07 UTC 2020


In ovn-kubernetes K8s CNI project we use SSL connections between
ovn-controller and OVN SB DB. Our goal is to rotate the
privateKey/signedCert used by ovn-controller very often. When the rotation
occurs, we want ovn-controller to redo the TLS handshake without dropping
the TCP connection or without requiring ovn-controller restart.

In ovn-controller code, I see that in the main loop we call
update_ssl_config(), which through a series of functions checks if SSL
files are modified, and if so, calls into OpenSSL library updating the SSL
context. At this point, the expectation is for ovn-controller to restart
the TLS handshake so that we are using new SSL keys/certs. However, we
don't see this happening.

I ran tcpdump on the ovn-controller side to check for TLS handshake
packets, but I didn't see any TLS related packets. With `stream_ssl` module
logging set to debug, I don't see any SSL control plane messages in
ovn-controller.log.

I also created certs with expiry time of 10mins using OVS-PKI and restarted
ovn-controller. My expectation was that after 10mins the SSL connection
should error out with certificates already expired. I don't see
that is happening as well. When I run the `ovn-sbctl` command using the
expired certs it obviously fails.

Looks to me that once the JSON-RPC session is created between
ovn-controller and  OVN SB DB process, then nothing seems to re-trigger the
TLS handshake.

Are we missing something?

Regards,
~Girish
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20201211/6b47505a/attachment-0001.html>


More information about the discuss mailing list