diff --git a/Documentation/howto/ssl.rst b/Documentation/howto/ssl.rst index 5350d6ca0..0cbdbbf98 100644 --- a/Documentation/howto/ssl.rst +++ b/Documentation/howto/ssl.rst @@ -21,18 +21,18 @@ Avoid deeper levels because they do not render well. -===================== -Open vSwitch with SSL -===================== +========================= +Open vSwitch with SSL/TLS +========================= If you plan to configure Open vSwitch to connect across the network to an OpenFlow controller, then we recommend that you build Open vSwitch with -OpenSSL. SSL support ensures integrity and confidentiality of the OpenFlow +OpenSSL. SSL/TLS support ensures integrity and confidentiality of the OpenFlow connections, increasing network security. This document describes how to configure an Open vSwitch to connect to an -OpenFlow controller over SSL. Refer to :doc:`/intro/install/general`. for -instructions on building Open vSwitch with SSL support. +OpenFlow controller over SSL/TLS. Refer to :doc:`/intro/install/general`. for +instructions on building Open vSwitch with SSL/TLS support. Open vSwitch uses TLS version 1.2 or later (TLSv1.2), as specified by RFC 5246. TLSv1.2 was released in August 2008, so all current software and @@ -41,16 +41,16 @@ hardware should implement it. This document assumes basic familiarity with public-key cryptography and public-key infrastructure. -SSL Concepts for OpenFlow -------------------------- +SSL/TLS Concepts for OpenFlow +----------------------------- This section is an introduction to the public-key infrastructure architectures -that Open vSwitch supports for SSL authentication. +that Open vSwitch supports for SSL/TLS authentication. -To connect over SSL, every Open vSwitch must have a unique private/public key -pair and a certificate that signs that public key. Typically, the Open vSwitch -generates its own public/private key pair. There are two common ways to obtain -a certificate for a switch: +To connect over SSL/TLS, every Open vSwitch must have a unique private/public +key pair and a certificate that signs that public key. Typically, the +Open vSwitch generates its own public/private key pair. There are two common +ways to obtain a certificate for a switch: * Self-signed certificates: The Open vSwitch signs its certificate with its own private key. In this case, each switch must be individually approved by the @@ -149,9 +149,9 @@ created, because they could be used to impersonate the controller. Switch Key Generation with Self-Signed Certificates ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -If you are using self-signed certificates (see "SSL Concepts for OpenFlow"), -this is one way to create an acceptable certificate for your controller to -approve. +If you are using self-signed certificates (see +`SSL/TLS Concepts for OpenFlow`_), this is one way to create an acceptable +certificate for your controller to approve. 1. Run the following command on the Open vSwitch itself:: @@ -178,15 +178,15 @@ approve. have to use CA certificate bootstrapping when you configure Open vSwitch in the next step.) -3. Configure Open vSwitch to use the keys and certificates (see "Configuring - SSL Support", below). +3. Configure Open vSwitch to use the keys and certificates (see + `Configuring SSL/TLS Support`_, below). Switch Key Generation with a Switch PKI (Easy Method) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -If you are using a switch PKI (see "SSL Concepts for OpenFlow", above), this -method of switch key generation is a little easier than the alternate method -described below, but it is also a little less secure because it requires +If you are using a switch PKI (see `SSL/TLS Concepts for OpenFlow`_, above), +this method of switch key generation is a little easier than the alternate +method described below, but it is also a little less secure because it requires copying a sensitive private key from file from the machine hosting the PKI to the switch. @@ -215,15 +215,15 @@ the switch. Don't delete controllerca/cacert.pem! It is not security-sensitive and you will need it to configure additional switches. -4. Configure Open vSwitch to use the keys and certificates (see "Configuring - SSL Support", below). +4. Configure Open vSwitch to use the keys and certificates (see + `Configuring SSL/TLS Support`_, below). Switch Key Generation with a Switch PKI (More Secure) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -If you are using a switch PKI (see "SSL Concepts for OpenFlow", above), then, -compared to the previous method, the method described here takes a little more -work, but it does not involve copying the private key from one machine to +If you are using a switch PKI (see `SSL/TLS Concepts for OpenFlow`_, above), +then, compared to the previous method, the method described here takes a little +more work, but it does not involve copying the private key from one machine to another, so it may also be a little more secure. 1. Run the following command on the Open vSwitch itself:: @@ -274,15 +274,15 @@ another, so it may also be a little more secure. Don't delete `controllerca/cacert.pem`! It is not security-sensitive and you will need it to configure additional switches. -5. Configure Open vSwitch to use the keys and certificates (see "Configuring - SSL Support", below). +5. Configure Open vSwitch to use the keys and certificates (see + `Configuring SSL/TLS Support`_, below). -Configuring SSL Support ------------------------ +Configuring SSL/TLS Support +--------------------------- -SSL configuration requires three additional configuration files. The first two -of these are unique to each Open vSwitch. If you used the instructions above -to build your PKI, then these files will be named `sc-privkey.pem` and +SSL/TLS configuration requires three additional configuration files. The first +two of these are unique to each Open vSwitch. If you used the instructions +above to build your PKI, then these files will be named `sc-privkey.pem` and `sc-cert.pem`, respectively: - A private key file, which contains the private half of an RSA or DSA key. @@ -320,17 +320,18 @@ above. You should use absolute file names (ones that begin with ``/``), because ovs-vswitchd's current directory is unrelated to the one from which you run ovs-vsctl. -If you are using self-signed certificates (see "SSL Concepts for OpenFlow") and -you did not copy controllerca/cacert.pem from the PKI machine to the Open -vSwitch, then add the ``--bootstrap`` option, e.g.:: +If you are using self-signed certificates (see +`SSL/TLS Concepts for OpenFlow`_) and you did not copy controllerca/cacert.pem +from the PKI machine to the Open vSwitch, then add the ``--bootstrap`` option, +e.g.:: $ ovs-vsctl -- --bootstrap set-ssl /etc/openvswitch/sc-privkey.pem \ /etc/openvswitch/sc-cert.pem /etc/openvswitch/cacert.pem After you have added all of these configuration keys, you may specify ``ssl:`` connection methods elsewhere in the configuration database. ``tcp:`` connection -methods are still allowed even after SSL has been configured, so for security -you should use only ``ssl:`` connections. +methods are still allowed even after SSL/TLS has been configured, so for +security you should use only ``ssl:`` connections. Reporting Bugs -------------- diff --git a/Documentation/intro/install/general.rst b/Documentation/intro/install/general.rst index e8471aa46..c93381a8b 100644 --- a/Documentation/intro/install/general.rst +++ b/Documentation/intro/install/general.rst @@ -429,7 +429,7 @@ database that it can use:: Configure ovsdb-server to use database created above, to listen on a Unix domain socket, to connect to any managers specified in the database itself, and -to use the SSL configuration in the database:: +to use the SSL/TLS configuration in the database:: $ mkdir -p /usr/local/var/run/openvswitch $ ovsdb-server --remote=punix:/usr/local/var/run/openvswitch/db.sock \ @@ -440,8 +440,8 @@ to use the SSL configuration in the database:: --pidfile --detach --log-file .. note:: - If you built Open vSwitch without SSL support, then omit ``--private-key``, - ``--certificate``, and ``--bootstrap-ca-cert``.) + If you built Open vSwitch without SSL/TLS support, then omit + ``--private-key``, ``--certificate``, and ``--bootstrap-ca-cert``.) Initialize the database using ovs-vsctl. This is only necessary the first time after you create the database with ovsdb-tool, though running it at any time is diff --git a/Documentation/ref/ovsdb.7.rst b/Documentation/ref/ovsdb.7.rst index a45c4ce38..42541dd7e 100644 --- a/Documentation/ref/ovsdb.7.rst +++ b/Documentation/ref/ovsdb.7.rst @@ -665,7 +665,7 @@ the opposite arrangement as well. OVSDB supports the following active connection methods: ssl:: - The specified SSL or TLS on the given . + The specified SSL/TLS on the given . tcp:: The specified TCP on the given . @@ -692,7 +692,7 @@ unix: OVSDB supports the following passive connection methods: pssl:[:] - Listen on the given TCP for SSL or TLS connections. By default, + Listen on the given TCP for SSL/TLS connections. By default, connections are not bound to a particular local IP address. Specifying limits connections to those from the given IP. @@ -725,8 +725,8 @@ versions, we encourage users to specify a port number. The ``ssl`` and ``pssl`` connection methods requires additional configuration through ``--private-key``, ``--certificate``, and ``--ca-cert`` command line -options. Open vSwitch can be built without SSL support, in which case these -connection methods are not supported. +options. Open vSwitch can be built without SSL/TLS support, in which case +these connection methods are not supported. Database Life Cycle =================== diff --git a/debian/openvswitch-testcontroller.default b/debian/openvswitch-testcontroller.default index c6db59570..39dfaaf54 100644 --- a/debian/openvswitch-testcontroller.default +++ b/debian/openvswitch-testcontroller.default @@ -4,7 +4,7 @@ # # This is a space-delimited list of connection methods: # -# * "pssl:[PORT]": Listen for SSL connections on the specified PORT +# * "pssl:[PORT]": Listen for SSL/TLS connections on the specified PORT # (default: 6653). The private key, certificate, and CA certificate # must be specified below. # @@ -14,15 +14,15 @@ LISTEN="pssl:" # PRIVKEY: Name of file containing controller's private key. -# Required if SSL enabled. +# Required if SSL/TLS enabled. PRIVKEY=/etc/openvswitch-testcontroller/privkey.pem # CERT: Name of file containing certificate for private key. -# Required if SSL enabled. +# Required if SSL/TLS enabled. CERT=/etc/openvswitch-testcontroller/cert.pem # CACERT: Name of file containing switch CA certificate. -# Required if SSL enabled. +# Required if SSL/TLS enabled. CACERT=/etc/openvswitch-testcontroller/cacert.pem # Additional options to pass to ovs-testcontroller, e.g. "--hub" diff --git a/lib/reconnect.c b/lib/reconnect.c index 89a0bcaf9..918ecd203 100644 --- a/lib/reconnect.c +++ b/lib/reconnect.c @@ -607,7 +607,7 @@ reconnect_deadline__(const struct reconnect *fsm, long long int now) * connections that quickly abort, so it is OK to call * reconnect_connected() after a low-level successful connection * (e.g. connect()) even if the connection might soon abort due to a - * failure at a high-level (e.g. SSL negotiation failure). + * failure at a high-level (e.g. SSL/TLS negotiation failure). * * - Passive client, RECONNECT_CONNECT: The client should try to listen for * a connection, if it is not already listening. It should call diff --git a/lib/ssl-bootstrap.man b/lib/ssl-bootstrap.man index c112f9a97..239302f8b 100644 --- a/lib/ssl-bootstrap.man +++ b/lib/ssl-bootstrap.man @@ -2,19 +2,19 @@ When \fIcacert.pem\fR exists, this option has the same effect as \fB\-C\fR or \fB\-\-ca\-cert\fR. If it does not exist, then \fB\*(PN\fR will attempt to obtain the CA certificate from the -SSL peer on its first SSL connection and save it to the named PEM -file. If it is successful, it will immediately drop the connection -and reconnect, and from then on all SSL connections must be +SSL/TLS peer on its first SSL/TLS connection and save it to the named +PEM file. If it is successful, it will immediately drop the connection +and reconnect, and from then on all SSL/TLS connections must be authenticated by a certificate signed by the CA certificate thus obtained. .IP -\fBThis option exposes the SSL connection to a man-in-the-middle +\fBThis option exposes the SSL/TLS connection to a man-in-the-middle attack obtaining the initial CA certificate\fR, but it may be useful for bootstrapping. .IP -This option is only useful if the SSL peer sends its CA certificate as -part of the SSL certificate chain. The SSL protocol does not require -the server to send the CA certificate. +This option is only useful if the SSL/TLS peer sends its CA certificate +as part of the SSL/TLS certificate chain. SSL/TLS protocols do not +require the server to send the CA certificate. .IP This option is mutually exclusive with \fB\-C\fR and \fB\-\-ca\-cert\fR. diff --git a/lib/ssl-bootstrap.xml b/lib/ssl-bootstrap.xml index 72d59522f..bf5300033 100644 --- a/lib/ssl-bootstrap.xml +++ b/lib/ssl-bootstrap.xml @@ -6,21 +6,21 @@ When cacert.pem exists, this option has the same effect as -C or --ca-cert. If it does not exist, then the executable will attempt to obtain the CA certificate from the - SSL peer on its first SSL connection and save it to the named PEM - file. If it is successful, it will immediately drop the connection - and reconnect, and from then on all SSL connections must be + SSL/TLS peer on its first SSL/TLS connection and save it to the named + PEM file. If it is successful, it will immediately drop the connection + and reconnect, and from then on all SSL/TLS connections must be authenticated by a certificate signed by the CA certificate thus obtained.

- This option exposes the SSL connection to a man-in-the-middle + This option exposes the SSL/TLS connection to a man-in-the-middle attack obtaining the initial CA certificate, but it may be useful for bootstrapping.

- This option is only useful if the SSL peer sends its CA certificate as - part of the SSL certificate chain. The SSL protocol does not require - the server to send the CA certificate. + This option is only useful if the SSL/TLS peer sends its CA certificate + as part of the SSL/TLS certificate chain. SSL/TLS protocols do not + require the server to send the CA certificate.

This option is mutually exclusive with -C and diff --git a/lib/ssl-connect-syn.man b/lib/ssl-connect-syn.man index ed77f7868..a5ca34662 100644 --- a/lib/ssl-connect-syn.man +++ b/lib/ssl-connect-syn.man @@ -1,4 +1,4 @@ -.IP "SSL connection options:" +.IP "SSL/TLS connection options:" [\fB\-\-ssl\-protocols=\fIprotocols\fR] .br [\fB\-\-ssl\-ciphers=\fIciphers\fR] diff --git a/lib/ssl-connect.man b/lib/ssl-connect.man index 693a999b2..108850da5 100644 --- a/lib/ssl-connect.man +++ b/lib/ssl-connect.man @@ -1,6 +1,6 @@ .IP "\fB\-\-ssl\-protocols=\fIprotocols\fR" -Specifies, in a comma- or space-delimited list, the SSL protocols -\fB\*(PN\fR will enable for SSL connections. Supported +Specifies, in a comma- or space-delimited list, the SSL/TLS protocols +\fB\*(PN\fR will enable for SSL/TLS connections. Supported \fIprotocols\fR include \fBTLSv1\fR (deprecated), \fBTLSv1.1\fR (deprecated), and \fBTLSv1.2\fR. Regardless of order, the highest protocol supported by both sides will @@ -9,5 +9,5 @@ omitted is \fBTLSv1.2\fR or later. . .IP "\fB\-\-ssl\-ciphers=\fIciphers\fR" Specifies, in OpenSSL cipher string format, the ciphers \fB\*(PN\fR will -support for SSL connections. The default when this option is omitted is +support for SSL/TLS connections. The default when this option is omitted is \fBHIGH:!aNULL:!MD5\fR. diff --git a/lib/ssl-peer-ca-cert.man b/lib/ssl-peer-ca-cert.man index 5450b9ef4..a8aae2d36 100644 --- a/lib/ssl-peer-ca-cert.man +++ b/lib/ssl-peer-ca-cert.man @@ -1,13 +1,13 @@ .IP "\fB\-\-peer\-ca\-cert=\fIpeer-cacert.pem\fR" Specifies a PEM file that contains one or more additional certificates -to send to SSL peers. \fIpeer-cacert.pem\fR should be the CA +to send to SSL/TLS peers. \fIpeer-cacert.pem\fR should be the CA certificate used to sign \fB\*(PN\fR's own certificate, that is, the certificate specified on \fB\-c\fR or \fB\-\-certificate\fR. If \fB\*(PN\fR's certificate is self-signed, then \fB\-\-certificate\fR and \fB\-\-peer\-ca\-cert\fR should specify the same file. .IP -This option is not useful in normal operation, because the SSL peer +This option is not useful in normal operation, because the SSL/TLS peer must already have the CA certificate for the peer to have any confidence in \fB\*(PN\fR's identity. However, this offers a way for -a new installation to bootstrap the CA certificate on its first SSL +a new installation to bootstrap the CA certificate on its first SSL/TLS connection. diff --git a/lib/ssl-peer-ca-cert.xml b/lib/ssl-peer-ca-cert.xml index 3d46ff511..eddc5de27 100644 --- a/lib/ssl-peer-ca-cert.xml +++ b/lib/ssl-peer-ca-cert.xml @@ -4,7 +4,7 @@

Specifies a PEM file that contains one or more additional certificates - to send to SSL peers. peer-cacert.pem should be the CA + to send to SSL/TLS peers. peer-cacert.pem should be the CA certificate used to sign the program's own certificate, that is, the certificate specified on -c or --certificate. If the program's certificate is self-signed, then @@ -12,10 +12,10 @@ the same file.

- This option is not useful in normal operation, because the SSL peer + This option is not useful in normal operation, because the SSL/TLS peer must already have the CA certificate for the peer to have any confidence in the program's identity. However, this offers a way for - a new installation to bootstrap the CA certificate on its first SSL + a new installation to bootstrap the CA certificate on its first SSL/TLS connection.

diff --git a/lib/ssl.man b/lib/ssl.man index 44a95fd68..9bec3a786 100644 --- a/lib/ssl.man +++ b/lib/ssl.man @@ -1,25 +1,26 @@ .IP "\fB\-p\fR \fIprivkey.pem\fR" .IQ "\fB\-\-private\-key=\fIprivkey.pem\fR" Specifies a PEM file containing the private key used as \fB\*(PN\fR's -identity for outgoing SSL connections. +identity for outgoing SSL/TLS connections. . .IP "\fB\-c\fR \fIcert.pem\fR" .IQ "\fB\-\-certificate=\fIcert.pem\fR" Specifies a PEM file containing a certificate that certifies the private key specified on \fB\-p\fR or \fB\-\-private\-key\fR to be trustworthy. The certificate must be signed by the certificate -authority (CA) that the peer in SSL connections will use to verify it. +authority (CA) that the peer in SSL/TLS connections will use to +verify it. . .IP "\fB\-C\fR \fIcacert.pem\fR" .IQ "\fB\-\-ca\-cert=\fIcacert.pem\fR" Specifies a PEM file containing the CA certificate that \fB\*(PN\fR -should use to verify certificates presented to it by SSL peers. (This -may be the same certificate that SSL peers use to verify the +should use to verify certificates presented to it by SSL/TLS peers. +(This may be the same certificate that SSL/TLS peers use to verify the certificate specified on \fB\-c\fR or \fB\-\-certificate\fR, or it may be a different one, depending on the PKI design in use.) . .IP "\fB\-C none\fR" .IQ "\fB\-\-ca\-cert=none\fR" -Disables verification of certificates presented by SSL peers. This +Disables verification of certificates presented by SSL/TLS peers. This introduces a security risk, because it means that certificates cannot be verified to be those of known trusted hosts. diff --git a/lib/ssl.xml b/lib/ssl.xml index c3a1aca58..bd2502898 100644 --- a/lib/ssl.xml +++ b/lib/ssl.xml @@ -4,7 +4,7 @@
--private-key=privkey.pem
Specifies a PEM file containing the private key used as - identity for outgoing SSL connections. + identity for outgoing SSL/TLS connections.
-c cert.pem
@@ -13,15 +13,15 @@ Specifies a PEM file containing a certificate that certifies the private key specified on -p or --private-key to be trustworthy. The certificate must be signed by the certificate - authority (CA) that the peer in SSL connections will use to verify it. + authority (CA) that the peer in SSL/TLS connections will use to verify it.
-C cacert.pem
--ca-cert=cacert.pem
Specifies a PEM file containing the CA certificate for - verifying certificates presented to this program by SSL peers. (This - may be the same certificate that SSL peers use to verify the + verifying certificates presented to this program by SSL/TLS peers. (This + may be the same certificate that SSL/TLS peers use to verify the certificate specified on -c or --certificate, or it may be a different one, depending on the PKI design in use.)
@@ -29,7 +29,7 @@
-C none
--ca-cert=none
- Disables verification of certificates presented by SSL peers. This + Disables verification of certificates presented by SSL/TLS peers. This introduces a security risk, because it means that certificates cannot be verified to be those of known trusted hosts.
diff --git a/lib/stream-nossl.c b/lib/stream-nossl.c index 6ea622b7c..71ef2361f 100644 --- a/lib/stream-nossl.c +++ b/lib/stream-nossl.c @@ -31,8 +31,9 @@ stream_ssl_is_configured(void) OVS_NO_RETURN static void nossl_option(const char *detail) { - VLOG_FATAL("%s specified but Open vSwitch was built without SSL support", - detail); + VLOG_FATAL( + "%s specified but Open vSwitch was built without SSL/TLS support", + detail); } void @@ -78,13 +79,13 @@ stream_ssl_set_key_and_cert(const char *private_key_file, void stream_ssl_set_protocols(const char *arg OVS_UNUSED) { - /* Ignore this option since it seems harmless to set SSL protocols if SSL - * won't be used. */ + /* Ignore this option since it seems harmless to set SSL/TLS protocols if + * SSL/TLS won't be used. */ } void stream_ssl_set_ciphers(const char *arg OVS_UNUSED) { - /* Ignore this option since it seems harmless to set SSL ciphers if SSL - * won't be used. */ + /* Ignore this option since it seems harmless to set SSL/TLS ciphers if + * SSL/TLS won't be used. */ } diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index 36e0187f1..8928e83e0 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -64,7 +64,7 @@ VLOG_DEFINE_THIS_MODULE(stream_ssl); -/* Active SSL. */ +/* Active SSL/TLS. */ enum ssl_state { STATE_TCP_CONNECTING, @@ -567,7 +567,8 @@ ssl_connect(struct stream *stream) * certificate, but that's more trouble than it's worth. These * connections will succeed the next time they retry, assuming that * they have a certificate against the correct CA.) */ - VLOG_INFO("rejecting SSL connection during bootstrap race window"); + VLOG_INFO( + "rejecting SSL/TLS connection during bootstrap race window"); return EPROTO; } else { #if OPENSSL_SUPPORTS_SNI @@ -671,7 +672,7 @@ interpret_ssl_error(const char *function, int ret, int error, function, ovs_strerror(status)); return status; } else { - VLOG_WARN_RL(&rl, "%s: unexpected SSL connection close", + VLOG_WARN_RL(&rl, "%s: unexpected SSL/TLS connection close", function); return EPROTO; } @@ -873,7 +874,7 @@ const struct stream_class ssl_stream_class = { ssl_wait, /* wait */ }; -/* Passive SSL. */ +/* Passive SSL/TLS. */ struct pssl_pstream { @@ -1056,8 +1057,8 @@ do_ssl_init(void) /* OpenSSL has a bunch of "connection methods": SSLv2_method(), * SSLv3_method(), TLSv1_method(), SSLv23_method(), ... Most of these - * support exactly one version of SSL, e.g. TLSv1_method() supports TLSv1 - * only, not any earlier *or later* version. The only exception is + * support exactly one version of SSL/TLS, e.g. TLSv1_method() supports + * TLSv1 only, not any earlier *or later* version. The only exception is * SSLv23_method(), which in fact supports *any* version of SSL and TLS. * We don't want SSLv2 or SSLv3 support, so we turn it off below with * SSL_CTX_set_options(). @@ -1132,7 +1133,7 @@ tmp_dh_callback(SSL *ssl OVS_UNUSED, int is_export OVS_UNUSED, int keylength) } #endif -/* Returns true if SSL is at least partially configured. */ +/* Returns true if SSL/TLS is at least partially configured. */ bool stream_ssl_is_configured(void) { @@ -1243,7 +1244,7 @@ stream_ssl_set_key_and_cert(const char *private_key_file, } } -/* Sets SSL ciphers based on string input. Aborts with an error message +/* Sets SSL/TLS ciphers based on string input. Aborts with an error message * if 'arg' is invalid. */ void stream_ssl_set_ciphers(const char *arg) @@ -1258,8 +1259,8 @@ stream_ssl_set_ciphers(const char *arg) ssl_ciphers = xstrdup(arg); } -/* Set SSL protocols based on the string input. Aborts with an error message - * if 'arg' is invalid. */ +/* Set SSL/TLS protocols based on the string input. Aborts with an error + * message if 'arg' is invalid. */ void stream_ssl_set_protocols(const char *arg) { @@ -1289,7 +1290,7 @@ stream_ssl_set_protocols(const char *arg) char *save_ptr = NULL; char *word = strtok_r(s, " ,\t", &save_ptr); if (word == NULL) { - VLOG_ERR("SSL protocol settings invalid"); + VLOG_ERR("SSL/TLS protocol settings invalid"); goto exit; } while (word != NULL) { @@ -1306,7 +1307,7 @@ stream_ssl_set_protocols(const char *arg) } if (!no_flag) { - VLOG_ERR("%s: SSL protocol not recognized", word); + VLOG_ERR("%s: SSL/TLS protocol not recognized", word); goto exit; } @@ -1484,17 +1485,18 @@ stream_ssl_set_ca_cert_file__(const char *file_name, } /* Sets 'file_name' as the name of the file from which to read the CA - * certificate used to verify the peer within SSL connections. If 'bootstrap' - * is false, the file must exist. If 'bootstrap' is false, then the file is - * read if it is exists; if it does not, then it will be created from the CA - * certificate received from the peer on the first SSL connection. */ + * certificate used to verify the peer within SSL/TLS connections. If + * 'bootstrap' is false, the file must exist. If 'bootstrap' is false, then + * the file is read if it is exists; if it does not, then it will be created + * from the CA certificate received from the peer on the first SSL/TLS + * connection. */ void stream_ssl_set_ca_cert_file(const char *file_name, bool bootstrap) { stream_ssl_set_ca_cert_file__(file_name, bootstrap, false); } -/* SSL protocol logging. */ +/* SSL/TLS protocol logging. */ static const char * ssl_alert_level_to_string(uint8_t type) diff --git a/lib/stream.c b/lib/stream.c index 6f5821689..baf01a801 100644 --- a/lib/stream.c +++ b/lib/stream.c @@ -131,7 +131,7 @@ stream_usage(const char *name, bool active, bool passive, "PORT at remote HOST\n"); #ifdef HAVE_OPENSSL printf(" ssl:HOST:PORT " - "SSL PORT at remote HOST\n"); + "SSL/TLS PORT at remote HOST\n"); #endif printf(" unix:FILE " "Unix domain socket named FILE\n"); @@ -143,14 +143,14 @@ stream_usage(const char *name, bool active, bool passive, "listen to TCP PORT on IP\n"); #ifdef HAVE_OPENSSL printf(" pssl:PORT[:IP] " - "listen for SSL on PORT on IP\n"); + "listen for SSL/TLS on PORT on IP\n"); #endif printf(" punix:FILE " "listen on Unix domain socket FILE\n"); } #ifdef HAVE_OPENSSL - printf("PKI configuration (required to use SSL):\n" + printf("PKI configuration (required to use SSL/TLS):\n" " -p, --private-key=FILE file with private key\n" " -c, --certificate=FILE file with certificate for private key\n" " -C, --ca-cert=FILE file with peer CA certificate\n"); @@ -158,9 +158,9 @@ stream_usage(const char *name, bool active, bool passive, printf(" --bootstrap-ca-cert=FILE file with peer CA certificate " "to read or create\n"); } - printf("SSL options:\n" - " --ssl-protocols=PROTOS list of SSL protocols to enable\n" - " --ssl-ciphers=CIPHERS list of SSL ciphers to enable\n"); + printf("SSL/TLS options:\n" + " --ssl-protocols=PROTOS list of SSL/TLS protocols to enable\n" + " --ssl-ciphers=CIPHERS list of SSL/TLS ciphers to enable\n"); #endif } @@ -827,7 +827,7 @@ stream_content_type_to_string(enum stream_content_type type) return "OpenFlow"; case STREAM_SSL: - return "SSL"; + return "SSL/TLS"; } } diff --git a/lib/vconn.c b/lib/vconn.c index 4b1c262ea..040955d67 100644 --- a/lib/vconn.c +++ b/lib/vconn.c @@ -143,7 +143,7 @@ vconn_usage(bool active, bool passive, bool bootstrap OVS_UNUSED) "PORT (default: %d) at remote HOST\n", OFP_PORT); #ifdef HAVE_OPENSSL printf(" ssl:HOST[:PORT] " - "SSL PORT (default: %d) at remote HOST\n", OFP_PORT); + "SSL/TLS PORT (default: %d) at remote HOST\n", OFP_PORT); #endif printf(" unix:FILE Unix domain socket named FILE\n"); } @@ -155,7 +155,7 @@ vconn_usage(bool active, bool passive, bool bootstrap OVS_UNUSED) OFP_PORT); #ifdef HAVE_OPENSSL printf(" pssl:[PORT][:IP] " - "listen for SSL on PORT (default: %d) on IP\n", + "listen for SSL/TLS on PORT (default: %d) on IP\n", OFP_PORT); #endif printf(" punix:FILE " @@ -163,7 +163,7 @@ vconn_usage(bool active, bool passive, bool bootstrap OVS_UNUSED) } #ifdef HAVE_OPENSSL - printf("PKI configuration (required to use SSL):\n" + printf("PKI configuration (required to use SSL/TLS):\n" " -p, --private-key=FILE file with private key\n" " -c, --certificate=FILE file with certificate for private key\n" " -C, --ca-cert=FILE file with peer CA certificate\n"); diff --git a/m4/openvswitch.m4 b/m4/openvswitch.m4 index 47aa9da16..a6b5c783b 100644 --- a/m4/openvswitch.m4 +++ b/m4/openvswitch.m4 @@ -280,10 +280,10 @@ AC_DEFUN([OVS_CHECK_OPENSSL], $SSL_PKG_ERRORS -OpenFlow connections over SSL will not be supported. +OpenFlow connections over SSL/TLS will not be supported. (You may use --disable-ssl to suppress this warning.)]) else - AC_MSG_ERROR([Cannot find openssl (use --disable-ssl to configure without SSL support)]) + AC_MSG_ERROR([Cannot find openssl (use --disable-ssl to configure without SSL/TLS support)]) fi]) else HAVE_OPENSSL=no diff --git a/ovsdb/local-config.xml b/ovsdb/local-config.xml index b502aea4c..52566505e 100644 --- a/ovsdb/local-config.xml +++ b/ovsdb/local-config.xml @@ -51,18 +51,18 @@

- The specified SSL port on the host at the given + The specified SSL/TLS port on the host at the given host, which can either be a DNS name (if built with - unbound library) or an IP address. A valid SSL configuration must - be provided when this form is used, this configuration can be - specified via command-line options or the + unbound library) or an IP address. A valid SSL/TLS configuration + must be provided when this form is used, this configuration can + be specified via command-line options or the table.

If port is not specified, it defaults to 6640.

- SSL support is an optional feature that is not always + SSL/TLS support is an optional feature that is not always built as part of Open vSwitch.

@@ -87,7 +87,8 @@

- Listens for SSL connections on the specified TCP port. + Listens for SSL/TLS connections on the specified TCP + port. Specify 0 for port to have the kernel automatically choose an available port. If host, which can either be a DNS name (if built with unbound library) or an IP address, @@ -96,7 +97,7 @@ host is an IPv6 address, wrap in square brackets, e.g. pssl:6640:[::1]. If host is not specified then it listens only on IPv4 (but not IPv6) addresses. - A valid SSL configuration must be provided when this form is + A valid SSL/TLS configuration must be provided when this form is used, this can be specified either via command-line options or the table.

@@ -104,8 +105,8 @@ If port is not specified, it defaults to 6640.

- SSL support is an optional feature that is not always built as - part of Open vSwitch. + SSL/TLS support is an optional feature that is not always built + as part of Open vSwitch.

diff --git a/ovsdb/ovsdb-client.1.in b/ovsdb/ovsdb-client.1.in index 91e0b3e25..c15804597 100644 --- a/ovsdb/ovsdb-client.1.in +++ b/ovsdb/ovsdb-client.1.in @@ -368,7 +368,7 @@ effect. .SS "Public Key Infrastructure Options" .so lib/ssl.man .so lib/ssl-bootstrap.man -.SS "SSL Connection Options" +.SS "SSL/TLS Connection Options" .so lib/ssl-connect.man .SS "Other Options" .so lib/ovs-replay.man diff --git a/ovsdb/ovsdb-server.c b/ovsdb/ovsdb-server.c index a876f8bcf..13c7543cc 100644 --- a/ovsdb/ovsdb-server.c +++ b/ovsdb/ovsdb-server.c @@ -67,7 +67,7 @@ VLOG_DEFINE_THIS_MODULE(ovsdb_server); -/* SSL configuration. */ +/* SSL/TLS configuration. */ static char *private_key_file; static char *certificate_file; static char *ca_cert_file; @@ -692,7 +692,7 @@ reconfigure_ovsdb_server(struct server_config *server_config) } else { error = reconfigure_ssl(server_config->all_dbs); if (error) { - VLOG_WARN("failed to configure SSL: %s", error); + VLOG_WARN("failed to configure SSL/TLS: %s", error); res = false; } } diff --git a/python/ovs/reconnect.py b/python/ovs/reconnect.py index 6b0d023ae..6b8e49afd 100644 --- a/python/ovs/reconnect.py +++ b/python/ovs/reconnect.py @@ -537,7 +537,7 @@ class Reconnect(object): connections that quickly abort, so it is OK to call self.connected() after a low-level successful connection (e.g. connect()) even if the connection might soon abort due to a - failure at a high-level (e.g. SSL negotiation failure). + failure at a high-level (e.g. SSL/TLS negotiation failure). - Passive client, ovs.reconnect.CONNECT: The client should try to listen for a connection, if it is not already listening. It diff --git a/python/ovs/stream.py b/python/ovs/stream.py index 4fa91beea..5578b7a6b 100644 --- a/python/ovs/stream.py +++ b/python/ovs/stream.py @@ -728,7 +728,7 @@ def usage(name): Active %s connection methods: unix:FILE Unix domain socket named FILE tcp:HOST:PORT TCP socket to HOST with port no of PORT - ssl:HOST:PORT SSL socket to HOST with port no of PORT + ssl:HOST:PORT SSL/TLS socket to HOST with port no of PORT Passive %s connection methods: punix:FILE Listen on Unix domain socket FILE""" % (name, name) @@ -797,7 +797,7 @@ class SSLStream(Stream): ctx.options |= ssl.OP_NO_SSLv3 ctx.options |= ssl.OP_NO_TLSv1 ctx.options |= ssl.OP_NO_TLSv1_1 - # If the client has not set the SSL configuration files + # If the client has not set the SSL/TLS configuration files # exception would be raised. ctx.load_verify_locations(Stream._SSL_ca_cert_file) ctx.load_cert_chain(Stream._SSL_certificate_file, @@ -821,7 +821,7 @@ class SSLStream(Stream): if retval: return retval - # TCP Connection is successful. Now do the SSL handshake + # TCP Connection is successful. Now do the SSL/TLS handshake. try: self.socket.do_handshake() except ssl.SSLWantReadError: @@ -864,5 +864,5 @@ class SSLStream(Stream): if ssl: - # Register SSL only if the OpenSSL module is available + # Register SSL/TLS only if the OpenSSL module is available. Stream.register_method("ssl", SSLStream) diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at index c27d96177..779a054e8 100644 --- a/tests/ofproto-macros.at +++ b/tests/ofproto-macros.at @@ -46,7 +46,7 @@ s/unix#[0-9]*:/unix:/ # PARSE_LISTENING_PORT LOGFILE VARIABLE # -# Parses the TCP or SSL port on which a server is listening from +# Parses the TCP or SSL/TLS port on which a server is listening from # LOGFILE, given that the server was told to listen on a kernel-chosen # port, and assigns the port number to shell VARIABLE. You should # specify the listening remote as ptcp:0:127.0.0.1 or diff --git a/tests/ovsdb-idl.at b/tests/ovsdb-idl.at index 72e5bff16..f9f79f194 100644 --- a/tests/ovsdb-idl.at +++ b/tests/ovsdb-idl.at @@ -256,14 +256,14 @@ m4_define([OVSDB_CHECK_IDL_TCP6_MULTIPLE_REMOTES_PY], OVSDB_SERVER_SHUTDOWN AT_CLEANUP]) -# same as OVSDB_CHECK_IDL but uses the Python IDL implementation with SSL +# same as OVSDB_CHECK_IDL but uses the Python IDL implementation with SSL/TLS m4_define([OVSDB_CHECK_IDL_SSL_PY], - [AT_SETUP([ovsdb-idl - $1 - Python3 - SSL]) + [AT_SETUP([ovsdb-idl - $1 - Python3 - SSL/TLS]) AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) $PYTHON3 -c "import ssl" SSL_PRESENT=$? AT_SKIP_IF([test $SSL_PRESENT != 0]) - AT_KEYWORDS([ovsdb server idl positive Python with ssl socket $5]) + AT_KEYWORDS([ovsdb server idl positive Python with ssl tls socket $5]) AT_CHECK([ovsdb-tool create db $abs_srcdir/idltest.ovsschema], [0], [stdout], [ignore]) PKIDIR=$abs_top_builddir/tests @@ -288,7 +288,7 @@ m4_define([OVSDB_CHECK_IDL_SSL_PY], AT_CHECK([sort stdout | uuidfilt]m4_if([$6],,, [[| $6]]), [0], [$4]) OVSDB_SERVER_SHUTDOWN([" - /unexpected SSL connection close/d + /unexpected SSL\/TLS connection close/d /Protocol error/d "]) AT_CLEANUP]) @@ -2473,7 +2473,7 @@ m4_define([CHECK_STREAM_OPEN_BLOCK], AT_CHECK([$2 PROTOCOL:$4:$WRONG_PORT $SSL_KEY_ARGS], [1], [ignore], [ignore]) OVSDB_SERVER_SHUTDOWN([" - /unexpected SSL connection close/d + /unexpected SSL\/TLS connection close/d /Protocol error/d "]) AT_CHECK([$2 PROTOCOL:$4:$TCP_PORT $SSL_KEY_ARGS], [1], [ignore], [ignore]) diff --git a/tests/ovsdb-server.at b/tests/ovsdb-server.at index 36caf9202..320a8c6a9 100644 --- a/tests/ovsdb-server.at +++ b/tests/ovsdb-server.at @@ -824,8 +824,8 @@ OVSDB_SERVER_SHUTDOWN([" "]) AT_CLEANUP -AT_SETUP([SSL db: implementation]) -AT_KEYWORDS([ovsdb server positive ssl $5]) +AT_SETUP([SSL/TLS db: implementation]) +AT_KEYWORDS([ovsdb server positive ssl tls $5]) AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) # For this test, we pass PKIDIR through a ovsdb-tool transact and # msys on Windows does not convert the path style automatically. @@ -1604,7 +1604,7 @@ AT_CHECK([test $(get_memory_value atoms) -eq $db_atoms_before_conversion]) OVSDB_SERVER_SHUTDOWN AT_CLEANUP -AT_BANNER([OVSDB -- ovsdb-server transactions (SSL IPv4 sockets)]) +AT_BANNER([OVSDB -- ovsdb-server transactions (SSL/TLS IPv4 sockets)]) # OVSDB_CHECK_EXECUTION(TITLE, SCHEMA, TRANSACTIONS, OUTPUT, [KEYWORDS]) # @@ -1622,7 +1622,7 @@ AT_BANNER([OVSDB -- ovsdb-server transactions (SSL IPv4 sockets)]) # TITLE is provided to AT_SETUP and KEYWORDS to AT_KEYWORDS. m4_define([OVSDB_CHECK_EXECUTION], [AT_SETUP([$1]) - AT_KEYWORDS([ovsdb server positive ssl $5]) + AT_KEYWORDS([ovsdb server positive ssl tls $5]) AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) $2 > schema PKIDIR=$abs_top_builddir/tests @@ -1640,7 +1640,7 @@ cat stdout >> output EXECUTION_EXAMPLES -AT_BANNER([OVSDB -- ovsdb-server transactions (SSL IPv6 sockets)]) +AT_BANNER([OVSDB -- ovsdb-server transactions (SSL/TLS IPv6 sockets)]) # OVSDB_CHECK_EXECUTION(TITLE, SCHEMA, TRANSACTIONS, OUTPUT, [KEYWORDS]) # @@ -1658,7 +1658,7 @@ AT_BANNER([OVSDB -- ovsdb-server transactions (SSL IPv6 sockets)]) # TITLE is provided to AT_SETUP and KEYWORDS to AT_KEYWORDS. m4_define([OVSDB_CHECK_EXECUTION], [AT_SETUP([$1]) - AT_KEYWORDS([ovsdb server positive ssl6 $5]) + AT_KEYWORDS([ovsdb server positive ssl6 ssl tls $5]) AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) AT_SKIP_IF([test $HAVE_IPV6 = no]) $2 > schema diff --git a/tests/test-ovsdb.py b/tests/test-ovsdb.py index 60752ef4a..57fc1d449 100644 --- a/tests/test-ovsdb.py +++ b/tests/test-ovsdb.py @@ -745,7 +745,7 @@ def do_idl(schema_file, remote, *commands): if remote.startswith("ssl:"): if len(commands) < 3: - sys.stderr.write("SSL connection requires private key, " + sys.stderr.write("SSL/TLS connection requires private key, " "certificate for private key, and peer CA " "certificate as arguments\n") sys.exit(1) @@ -970,7 +970,7 @@ def do_idl_cluster(schema_file, remote, pid, *commands): if remote.startswith("ssl:"): if len(commands) < 3: - sys.stderr.write("SSL connection requires private key, " + sys.stderr.write("SSL/TLS connection requires private key, " "certificate for private key, and peer CA " "certificate as arguments\n") sys.exit(1) diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in index d0f99f2bb..dc26d7835 100644 --- a/utilities/ovs-ofctl.8.in +++ b/utilities/ovs-ofctl.8.in @@ -722,8 +722,8 @@ Non-OpenFlow packets are ignored. By default, data on TCP ports 6633 and 6653 are considered to be OpenFlow. Specify one or more \fIport\fR arguments to override the default. .IP -This command cannot usefully print SSL encrypted traffic. It does not -understand IPv6. +This command cannot usefully print SSL/TLS encrypted traffic. It does +not understand IPv6. . .SS "Flow Syntax" .PP diff --git a/utilities/ovs-vsctl.8.in b/utilities/ovs-vsctl.8.in index 5ce949df4..575b7c0bf 100644 --- a/utilities/ovs-vsctl.8.in +++ b/utilities/ovs-vsctl.8.in @@ -155,7 +155,7 @@ Prints a brief overview of the database contents. . .IP "\fBemer\-reset\fR" Reset the configuration into a clean state. It deconfigures OpenFlow -controllers, OVSDB servers, and SSL, and deletes port mirroring, +controllers, OVSDB servers, and SSL/TLS, and deletes port mirroring, \fBfail_mode\fR, NetFlow, sFlow, and IPFIX configuration. This command also removes all \fBother\-config\fR keys from all database records, except that \fBother\-config:hwaddr\fR is preserved if it is @@ -479,13 +479,13 @@ Sets the configured manager target or targets. Each \fItarget\fR may be an OVSDB active or passive connection method, e.g. \fBpssl:6640\fR, as described in \fBovsdb\fR(7). . -.SS "SSL Configuration" -When \fBovs\-vswitchd\fR is configured to connect over SSL for management or -controller connectivity, the following parameters are required: +.SS "SSL/TLS Configuration" +When \fBovs\-vswitchd\fR is configured to connect over SSL/TLS for management +or controller connectivity, the following parameters are required: .TP \fIprivate-key\fR Specifies a PEM file containing the private key used as the virtual -switch's identity for SSL connections to the controller. +switch's identity for SSL/TLS connections to the controller. .TP \fIcertificate\fR Specifies a PEM file containing a certificate, signed by the @@ -500,37 +500,37 @@ the virtual switch is connected to a trustworthy controller. These files are read only once, at \fBovs\-vswitchd\fR startup time. If their contents change, \fBovs\-vswitchd\fR must be killed and restarted. .PP -These SSL settings apply to all SSL connections made by the virtual +These SSL/TLS settings apply to all SSL/TLS connections made by the virtual switch. . .IP "\fBget\-ssl\fR" -Prints the SSL configuration. +Prints the SSL/TLS configuration. . .IP "\fBdel\-ssl\fR" -Deletes the current SSL configuration. +Deletes the current SSL/TLS configuration. . .IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR \fIca-cert\fR" -Sets the SSL configuration. The \fB\-\-bootstrap\fR option is described +Sets the SSL/TLS configuration. The \fB\-\-bootstrap\fR option is described below. . .ST "CA Certificate Bootstrap" .PP -Ordinarily, all of the files named in the SSL configuration must exist +Ordinarily, all of the files named in the SSL/TLS configuration must exist when \fBovs\-vswitchd\fR starts. However, if the \fIca-cert\fR file does not exist and the \fB\-\-bootstrap\fR option is given, then \fBovs\-vswitchd\fR will attempt to obtain the -CA certificate from the controller on its first SSL connection and +CA certificate from the controller on its first SSL/TLS connection and save it to the named PEM file. If it is successful, it will immediately drop the connection and reconnect, and from then on all -SSL connections must be authenticated by a certificate signed by the +SSL/TLS connections must be authenticated by a certificate signed by the CA certificate thus obtained. .PP -\fBThis option exposes the SSL connection to a man-in-the-middle +\fBThis option exposes the SSL/TLS connection to a man-in-the-middle attack obtaining the initial CA certificate\fR, but it may be useful for bootstrapping. .PP This option is only useful if the controller sends its CA certificate -as part of the SSL certificate chain. The SSL protocol does not +as part of the SSL/TLS certificate chain. SSL/TLS protocols do not require the controller to send the CA certificate. . .SS "Auto-Attach Commands" diff --git a/utilities/ovs-vsctl.c b/utilities/ovs-vsctl.c index edef0f18e..dd494622f 100644 --- a/utilities/ovs-vsctl.c +++ b/utilities/ovs-vsctl.c @@ -429,10 +429,10 @@ Manager commands:\n\ [--inactivity-probe=MSECS]\n\ set-manager TARGET... set the list of managers to TARGET...\n\ \n\ -SSL commands:\n\ - get-ssl print the SSL configuration\n\ - del-ssl delete the SSL configuration\n\ - set-ssl PRIV-KEY CERT CA-CERT set the SSL configuration\n\ +SSL/TLS commands:\n\ + get-ssl print the SSL/TLS configuration\n\ + del-ssl delete the SSL/TLS configuration\n\ + set-ssl PRIV-KEY CERT CA-CERT set the SSL/TLS configuration\n\ \n\ Auto Attach commands:\n\ add-aa-mapping BRIDGE I-SID VLAN add Auto Attach mapping to BRIDGE\n\ @@ -3254,7 +3254,7 @@ static const struct ctl_command_syntax vsctl_commands[] = { {"set-manager", 1, INT_MAX, "TARGET...", pre_manager, cmd_set_manager, NULL, "--inactivity-probe=", RW}, - /* SSL commands. */ + /* SSL/TLS commands. */ {"get-ssl", 0, 0, "", pre_cmd_get_ssl, cmd_get_ssl, NULL, "", RO}, {"del-ssl", 0, 0, "", pre_cmd_del_ssl, cmd_del_ssl, NULL, "", RW}, {"set-ssl", 3, 3, "PRIVATE-KEY CERTIFICATE CA-CERT", pre_cmd_set_ssl, diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c index 12c5fb513..509ea19ec 100644 --- a/vswitchd/bridge.c +++ b/vswitchd/bridge.c @@ -3417,12 +3417,13 @@ bridge_run(void) bridge_run__(); - /* Re-configure SSL. We do this on every trip through the main loop, + /* Re-configure SSL/TLS. We do this on every trip through the main loop, * instead of just when the database changes, because the contents of the * key and certificate files can change without the database changing. * * We do this before bridge_reconfigure() because that function might - * initiate SSL connections and thus requires SSL to be configured. */ + * initiate SSL/TLS connections and thus requires SSL/TLS to be configured. + */ if (cfg && cfg->ssl) { const struct ovsrec_ssl *ssl = cfg->ssl; diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml index c4e2669ee..275bcbec0 100644 --- a/vswitchd/vswitch.xml +++ b/vswitchd/vswitch.xml @@ -64,7 +64,7 @@ - SSL used globally by the daemon. + SSL/TLS used globally by the daemon. @@ -5487,14 +5487,14 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
ssl:host[:port]
-

The specified SSL port on the host at the +

The specified SSL/TLS port on the host at the given host, which can either be a DNS name (if built with unbound library) or an IP address. The column in the table must - point to a valid SSL configuration when this form is used.

+ point to a valid SSL/TLS configuration when this form is used.

If port is not specified, it defaults to 6653.

-

SSL support is an optional feature that is not always built as - part of Open vSwitch.

+

SSL/TLS support is an optional feature that is not always built + as part of Open vSwitch.

tcp:host[:port]
@@ -5517,7 +5517,8 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
pssl:[port][:host]

- Listens for SSL connections on the specified TCP port. + Listens for SSL/TLS connections on the specified TCP + port. If host, which can either be a DNS name (if built with unbound library) or an IP address, is specified, then connections are restricted to the resolved or specified local IP address @@ -5530,14 +5531,14 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \ IPv4 (but not IPv6) addresses. The column in the table must point to a - valid SSL configuration when this form is used. + valid SSL/TLS configuration when this form is used.

If port is not specified, it currently to 6653.

- SSL support is an optional feature that is not always built as - part of Open vSwitch. + SSL/TLS support is an optional feature that is not always built + as part of Open vSwitch.

ptcp:[port][:host]
@@ -5907,18 +5908,18 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
ssl:host[:port]

- The specified SSL port on the host at the given + The specified SSL/TLS port on the host at the given host, which can either be a DNS name (if built with unbound library) or an IP address. The column in the - table must point to a valid SSL configuration when this + table must point to a valid SSL/TLS configuration when this form is used.

If port is not specified, it defaults to 6640.

- SSL support is an optional feature that is not always + SSL/TLS support is an optional feature that is not always built as part of Open vSwitch.

@@ -5939,7 +5940,8 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
pssl:[port][:host]

- Listens for SSL connections on the specified TCP port. + Listens for SSL/TLS connections on the specified TCP + port. Specify 0 for port to have the kernel automatically choose an available port. If host, which can either be a DNS name (if built with unbound library) or an IP address, @@ -5949,15 +5951,15 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \ e.g. pssl:6640:[::1]. If host is not specified then it listens only on IPv4 (but not IPv6) addresses. The column in the table must point to a valid SSL + table="Open_vSwitch"/> table must point to a valid SSL/TLS configuration when this form is used.

If port is not specified, it defaults to 6640.

- SSL support is an optional feature that is not always built as - part of Open vSwitch. + SSL/TLS support is an optional feature that is not always built + as part of Open vSwitch.

ptcp:[port][:host]
@@ -6736,11 +6738,11 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \ - SSL configuration for an Open_vSwitch. + SSL/TLS configuration for an Open_vSwitch. Name of a PEM file containing the private key used as the switch's - identity for SSL connections to the controller. + identity for SSL/TLS connections to the controller. @@ -6757,12 +6759,12 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \ If set to true, then Open vSwitch will attempt to - obtain the CA certificate from the controller on its first SSL + obtain the CA certificate from the controller on its first SSL/TLS connection and save it to the named PEM file. If it is successful, it will immediately drop the connection and reconnect, and from then - on all SSL connections must be authenticated by a certificate signed + on all SSL/TLS connections must be authenticated by a certificate signed by the CA certificate thus obtained. This option exposes the - SSL connection to a man-in-the-middle attack obtaining the initial + SSL/TLS connection to a man-in-the-middle attack obtaining the initial CA certificate. It may still be useful for bootstrapping. diff --git a/vtep/vtep.xml b/vtep/vtep.xml index 927efed5f..903dadf90 100644 --- a/vtep/vtep.xml +++ b/vtep/vtep.xml @@ -119,12 +119,12 @@
ssl:host[:port]

- The specified SSL port (default: 6640) on the given - host, which can either be a DNS name (if built with - unbound library) or an IP address. + The specified SSL/TLS port (default: 6640) on the + given host, which can either be a DNS name (if built + with unbound library) or an IP address.

- SSL key and certificate configuration happens outside the + SSL/TLS key and certificate configuration happens outside the database.

@@ -138,11 +138,11 @@
pssl:[port][:host]

- Listens for SSL connections on the specified TCP port - (default: 6640). If host, which can either be a DNS - name (if built with unbound library) or an IP address, is - specified, then connections are restricted to the resolved or - specified local IP address. + Listens for SSL/TLS connections on the specified TCP + port (default: 6640). If host, which can + either be a DNS name (if built with unbound library) or an IP + address, is specified, then connections are restricted to the + resolved or specified local IP address.

ptcp:[port][:host]