2009-12-21 13:10:55 -08:00
|
|
|
.IP "\fB\-\-bootstrap\-ca\-cert=\fIcacert.pem\fR"
|
|
|
|
|
When \fIcacert.pem\fR exists, this option has the same effect as
|
|
|
|
|
\fB\-C\fR or \fB\-\-ca\-cert\fR. If it does not exist, then
|
|
|
|
|
\fB\*(PN\fR will attempt to obtain the CA certificate from the
|
treewide: Refer to SSL configuration as SSL/TLS.
SSL protocol family is not actually being used or supported in OVS.
What we use is actually TLS.
Terms "SSL" and "TLS" are often used interchangeably in modern
software and refer to the same thing, which is normally just TLS.
Let's replace "SSL" with "SSL/TLS" in documentation and user-visible
messages, where it makes sense. This may make it more clear what
is meant for a less experienced user that may look for TLS support
in OVS and not find much.
We're not changing any actual code, because, for example, most of
OpenSSL APIs are using just SSL, for historical reasons. And our
database is using "SSL" table. We may consider migrating to "TLS"
naming for user-visible configuration like command line arguments
and database names, but that will require extra work on making sure
upgrades can still work. In general, a slightly more clear
documentation should be enough for now, especially since term SSL
is still widely used in the industry.
"SSL/TLS" is chosen over "TLS/SSL" simply because our user-visible
configuration knobs are using "SSL" naming, e.g. '--ssl-cyphers'
or 'ovs-vsctl set-ssl'. So, it might be less confusing this way.
We may switch that, if we decide on re-working the user-visible
commands towards "TLS" naming, or providing both alternatives.
Some other projects did similar changes. For example, the python ssl
library is now using "TLS/SSL" in the documentation whenever possible.
Same goes for OpenSSL itself.
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-12-09 17:38:45 +01:00
|
|
|
SSL/TLS peer on its first SSL/TLS connection and save it to the named
|
|
|
|
|
PEM file. If it is successful, it will immediately drop the connection
|
|
|
|
|
and reconnect, and from then on all SSL/TLS connections must be
|
2009-12-21 13:10:55 -08:00
|
|
|
authenticated by a certificate signed by the CA certificate thus
|
|
|
|
|
obtained.
|
|
|
|
|
.IP
|
treewide: Refer to SSL configuration as SSL/TLS.
SSL protocol family is not actually being used or supported in OVS.
What we use is actually TLS.
Terms "SSL" and "TLS" are often used interchangeably in modern
software and refer to the same thing, which is normally just TLS.
Let's replace "SSL" with "SSL/TLS" in documentation and user-visible
messages, where it makes sense. This may make it more clear what
is meant for a less experienced user that may look for TLS support
in OVS and not find much.
We're not changing any actual code, because, for example, most of
OpenSSL APIs are using just SSL, for historical reasons. And our
database is using "SSL" table. We may consider migrating to "TLS"
naming for user-visible configuration like command line arguments
and database names, but that will require extra work on making sure
upgrades can still work. In general, a slightly more clear
documentation should be enough for now, especially since term SSL
is still widely used in the industry.
"SSL/TLS" is chosen over "TLS/SSL" simply because our user-visible
configuration knobs are using "SSL" naming, e.g. '--ssl-cyphers'
or 'ovs-vsctl set-ssl'. So, it might be less confusing this way.
We may switch that, if we decide on re-working the user-visible
commands towards "TLS" naming, or providing both alternatives.
Some other projects did similar changes. For example, the python ssl
library is now using "TLS/SSL" in the documentation whenever possible.
Same goes for OpenSSL itself.
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-12-09 17:38:45 +01:00
|
|
|
\fBThis option exposes the SSL/TLS connection to a man-in-the-middle
|
2009-12-21 13:10:55 -08:00
|
|
|
attack obtaining the initial CA certificate\fR, but it may be useful
|
|
|
|
|
for bootstrapping.
|
|
|
|
|
.IP
|
treewide: Refer to SSL configuration as SSL/TLS.
SSL protocol family is not actually being used or supported in OVS.
What we use is actually TLS.
Terms "SSL" and "TLS" are often used interchangeably in modern
software and refer to the same thing, which is normally just TLS.
Let's replace "SSL" with "SSL/TLS" in documentation and user-visible
messages, where it makes sense. This may make it more clear what
is meant for a less experienced user that may look for TLS support
in OVS and not find much.
We're not changing any actual code, because, for example, most of
OpenSSL APIs are using just SSL, for historical reasons. And our
database is using "SSL" table. We may consider migrating to "TLS"
naming for user-visible configuration like command line arguments
and database names, but that will require extra work on making sure
upgrades can still work. In general, a slightly more clear
documentation should be enough for now, especially since term SSL
is still widely used in the industry.
"SSL/TLS" is chosen over "TLS/SSL" simply because our user-visible
configuration knobs are using "SSL" naming, e.g. '--ssl-cyphers'
or 'ovs-vsctl set-ssl'. So, it might be less confusing this way.
We may switch that, if we decide on re-working the user-visible
commands towards "TLS" naming, or providing both alternatives.
Some other projects did similar changes. For example, the python ssl
library is now using "TLS/SSL" in the documentation whenever possible.
Same goes for OpenSSL itself.
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-12-09 17:38:45 +01:00
|
|
|
This option is only useful if the SSL/TLS peer sends its CA certificate
|
|
|
|
|
as part of the SSL/TLS certificate chain. SSL/TLS protocols do not
|
|
|
|
|
require the server to send the CA certificate.
|
2009-12-21 13:10:55 -08:00
|
|
|
.IP
|
2010-06-29 14:29:40 -07:00
|
|
|
This option is mutually exclusive with \fB\-C\fR and
|
2009-12-21 13:10:55 -08:00
|
|
|
\fB\-\-ca\-cert\fR.
|
