[ovs-discuss] ovsdb-server --private-key=db:OVN_Northbound, SSL, private_key etc

Ben Pfaff blp at ovn.org
Mon Jul 19 16:32:11 UTC 2021

On Mon, Jul 19, 2021 at 04:29:07PM +0100, Brendan Doyle wrote:
> When I start OVN/OVs using ovn-ctl /ovs-ctl the ovsdb-server processes have
> SSL credentials of the form:
> --private-key=db:Open_vSwitch,SSL,private_key
> --certificate=db:Open_vSwitch,SSL,certificate
> --bootstrap-ca-cert=db:Open_vSwitch,SSL,ca_cert
> --private-key=db:OVN_Northbound,SSL,private_key
> --certificate=db:OVN_Northbound,SSL,certificate
> --ca-cert=db:OVN_Northbound,SSL,ca_cert
> --ssl-protocols=db:OVN_Northbound,SSL,ssl_protocols
> --ssl-ciphers=db:OVN_Northbound,SSL,ssl_ciphers
> --private-key=db:OVN_Southbound,SSL,private_key
> --certificate=db:OVN_Southbound,SSL,certificate
> --ca-cert=db:OVN_Southbound,SSL,ca_cert
> --ssl-protocols=db:OVN_Southbound,SSL,ssl_protocols
> --ssl-ciphers=db:OVN_Southbound,SSL,ssl_ciphers
> From what I gather this means it gets these values from the database, OVS,
> OVN North/South?
> But does that mean that SSL is enabled by default and use a default set of
> credentials/cipers?
> Or does it mean If these values (Open_vSwitch,SSL,certificate e,g) are not
> set in the OVS, or OVN North/South bound data base
> then the connections are not SSL.
> And if the later is the case how are these set?

It means that SSL/TLS connections will use these values.  Whether SSL is
in use is separately configured.  If you see "pssl:..." in a remote,
that's an SSL one; "ptcp:..." is for non-SSL TCP.

More information about the discuss mailing list