2
0
mirror of https://github.com/openvswitch/ovs synced 2025-08-22 09:58:01 +00:00

treewide: Refer to SSL configuration as SSL/TLS.

SSL protocol family is not actually being used or supported in OVS.
What we use is actually TLS.

Terms "SSL" and "TLS" are often used interchangeably in modern
software and refer to the same thing, which is normally just TLS.

Let's replace "SSL" with "SSL/TLS" in documentation and user-visible
messages, where it makes sense.  This may make it more clear what
is meant for a less experienced user that may look for TLS support
in OVS and not find much.

We're not changing any actual code, because, for example, most of
OpenSSL APIs are using just SSL, for historical reasons.  And our
database is using "SSL" table.  We may consider migrating to "TLS"
naming for user-visible configuration like command line arguments
and database names, but that will require extra work on making sure
upgrades can still work.  In general, a slightly more clear
documentation should be enough for now, especially since term SSL
is still widely used in the industry.

"SSL/TLS" is chosen over "TLS/SSL" simply because our user-visible
configuration knobs are using "SSL" naming, e.g. '--ssl-cyphers'
or 'ovs-vsctl set-ssl'.  So, it might be less confusing this way.
We may switch that, if we decide on re-working the user-visible
commands towards "TLS" naming, or providing both alternatives.

Some other projects did similar changes.  For example, the python ssl
library is now using "TLS/SSL" in the documentation whenever possible.
Same goes for OpenSSL itself.

Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
This commit is contained in:
Ilya Maximets 2024-12-09 17:38:45 +01:00
parent 923a80d1d1
commit 49f299313d
33 changed files with 212 additions and 203 deletions

View File

@ -21,18 +21,18 @@
Avoid deeper levels because they do not render well. Avoid deeper levels because they do not render well.
===================== =========================
Open vSwitch with SSL Open vSwitch with SSL/TLS
===================== =========================
If you plan to configure Open vSwitch to connect across the network to an If you plan to configure Open vSwitch to connect across the network to an
OpenFlow controller, then we recommend that you build Open vSwitch with OpenFlow controller, then we recommend that you build Open vSwitch with
OpenSSL. SSL support ensures integrity and confidentiality of the OpenFlow OpenSSL. SSL/TLS support ensures integrity and confidentiality of the OpenFlow
connections, increasing network security. connections, increasing network security.
This document describes how to configure an Open vSwitch to connect to an This document describes how to configure an Open vSwitch to connect to an
OpenFlow controller over SSL. Refer to :doc:`/intro/install/general`. for OpenFlow controller over SSL/TLS. Refer to :doc:`/intro/install/general`. for
instructions on building Open vSwitch with SSL support. instructions on building Open vSwitch with SSL/TLS support.
Open vSwitch uses TLS version 1.2 or later (TLSv1.2), as specified by Open vSwitch uses TLS version 1.2 or later (TLSv1.2), as specified by
RFC 5246. TLSv1.2 was released in August 2008, so all current software and RFC 5246. TLSv1.2 was released in August 2008, so all current software and
@ -41,16 +41,16 @@ hardware should implement it.
This document assumes basic familiarity with public-key cryptography and This document assumes basic familiarity with public-key cryptography and
public-key infrastructure. public-key infrastructure.
SSL Concepts for OpenFlow SSL/TLS Concepts for OpenFlow
------------------------- -----------------------------
This section is an introduction to the public-key infrastructure architectures This section is an introduction to the public-key infrastructure architectures
that Open vSwitch supports for SSL authentication. that Open vSwitch supports for SSL/TLS authentication.
To connect over SSL, every Open vSwitch must have a unique private/public key To connect over SSL/TLS, every Open vSwitch must have a unique private/public
pair and a certificate that signs that public key. Typically, the Open vSwitch key pair and a certificate that signs that public key. Typically, the
generates its own public/private key pair. There are two common ways to obtain Open vSwitch generates its own public/private key pair. There are two common
a certificate for a switch: ways to obtain a certificate for a switch:
* Self-signed certificates: The Open vSwitch signs its certificate with its own * Self-signed certificates: The Open vSwitch signs its certificate with its own
private key. In this case, each switch must be individually approved by the private key. In this case, each switch must be individually approved by the
@ -149,9 +149,9 @@ created, because they could be used to impersonate the controller.
Switch Key Generation with Self-Signed Certificates Switch Key Generation with Self-Signed Certificates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you are using self-signed certificates (see "SSL Concepts for OpenFlow"), If you are using self-signed certificates (see
this is one way to create an acceptable certificate for your controller to `SSL/TLS Concepts for OpenFlow`_), this is one way to create an acceptable
approve. certificate for your controller to approve.
1. Run the following command on the Open vSwitch itself:: 1. Run the following command on the Open vSwitch itself::
@ -178,15 +178,15 @@ approve.
have to use CA certificate bootstrapping when you configure Open vSwitch in have to use CA certificate bootstrapping when you configure Open vSwitch in
the next step.) the next step.)
3. Configure Open vSwitch to use the keys and certificates (see "Configuring 3. Configure Open vSwitch to use the keys and certificates (see
SSL Support", below). `Configuring SSL/TLS Support`_, below).
Switch Key Generation with a Switch PKI (Easy Method) Switch Key Generation with a Switch PKI (Easy Method)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you are using a switch PKI (see "SSL Concepts for OpenFlow", above), this If you are using a switch PKI (see `SSL/TLS Concepts for OpenFlow`_, above),
method of switch key generation is a little easier than the alternate method this method of switch key generation is a little easier than the alternate
described below, but it is also a little less secure because it requires method described below, but it is also a little less secure because it requires
copying a sensitive private key from file from the machine hosting the PKI to copying a sensitive private key from file from the machine hosting the PKI to
the switch. the switch.
@ -215,15 +215,15 @@ the switch.
Don't delete controllerca/cacert.pem! It is not security-sensitive and Don't delete controllerca/cacert.pem! It is not security-sensitive and
you will need it to configure additional switches. you will need it to configure additional switches.
4. Configure Open vSwitch to use the keys and certificates (see "Configuring 4. Configure Open vSwitch to use the keys and certificates (see
SSL Support", below). `Configuring SSL/TLS Support`_, below).
Switch Key Generation with a Switch PKI (More Secure) Switch Key Generation with a Switch PKI (More Secure)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you are using a switch PKI (see "SSL Concepts for OpenFlow", above), then, If you are using a switch PKI (see `SSL/TLS Concepts for OpenFlow`_, above),
compared to the previous method, the method described here takes a little more then, compared to the previous method, the method described here takes a little
work, but it does not involve copying the private key from one machine to more work, but it does not involve copying the private key from one machine to
another, so it may also be a little more secure. another, so it may also be a little more secure.
1. Run the following command on the Open vSwitch itself:: 1. Run the following command on the Open vSwitch itself::
@ -274,15 +274,15 @@ another, so it may also be a little more secure.
Don't delete `controllerca/cacert.pem`! It is not security-sensitive and Don't delete `controllerca/cacert.pem`! It is not security-sensitive and
you will need it to configure additional switches. you will need it to configure additional switches.
5. Configure Open vSwitch to use the keys and certificates (see "Configuring 5. Configure Open vSwitch to use the keys and certificates (see
SSL Support", below). `Configuring SSL/TLS Support`_, below).
Configuring SSL Support Configuring SSL/TLS Support
----------------------- ---------------------------
SSL configuration requires three additional configuration files. The first two SSL/TLS configuration requires three additional configuration files. The first
of these are unique to each Open vSwitch. If you used the instructions above two of these are unique to each Open vSwitch. If you used the instructions
to build your PKI, then these files will be named `sc-privkey.pem` and above to build your PKI, then these files will be named `sc-privkey.pem` and
`sc-cert.pem`, respectively: `sc-cert.pem`, respectively:
- A private key file, which contains the private half of an RSA or DSA key. - A private key file, which contains the private half of an RSA or DSA key.
@ -320,17 +320,18 @@ above. You should use absolute file names (ones that begin with ``/``),
because ovs-vswitchd's current directory is unrelated to the one from which you because ovs-vswitchd's current directory is unrelated to the one from which you
run ovs-vsctl. run ovs-vsctl.
If you are using self-signed certificates (see "SSL Concepts for OpenFlow") and If you are using self-signed certificates (see
you did not copy controllerca/cacert.pem from the PKI machine to the Open `SSL/TLS Concepts for OpenFlow`_) and you did not copy controllerca/cacert.pem
vSwitch, then add the ``--bootstrap`` option, e.g.:: from the PKI machine to the Open vSwitch, then add the ``--bootstrap`` option,
e.g.::
$ ovs-vsctl -- --bootstrap set-ssl /etc/openvswitch/sc-privkey.pem \ $ ovs-vsctl -- --bootstrap set-ssl /etc/openvswitch/sc-privkey.pem \
/etc/openvswitch/sc-cert.pem /etc/openvswitch/cacert.pem /etc/openvswitch/sc-cert.pem /etc/openvswitch/cacert.pem
After you have added all of these configuration keys, you may specify ``ssl:`` After you have added all of these configuration keys, you may specify ``ssl:``
connection methods elsewhere in the configuration database. ``tcp:`` connection connection methods elsewhere in the configuration database. ``tcp:`` connection
methods are still allowed even after SSL has been configured, so for security methods are still allowed even after SSL/TLS has been configured, so for
you should use only ``ssl:`` connections. security you should use only ``ssl:`` connections.
Reporting Bugs Reporting Bugs
-------------- --------------

View File

@ -429,7 +429,7 @@ database that it can use::
Configure ovsdb-server to use database created above, to listen on a Unix Configure ovsdb-server to use database created above, to listen on a Unix
domain socket, to connect to any managers specified in the database itself, and domain socket, to connect to any managers specified in the database itself, and
to use the SSL configuration in the database:: to use the SSL/TLS configuration in the database::
$ mkdir -p /usr/local/var/run/openvswitch $ mkdir -p /usr/local/var/run/openvswitch
$ ovsdb-server --remote=punix:/usr/local/var/run/openvswitch/db.sock \ $ ovsdb-server --remote=punix:/usr/local/var/run/openvswitch/db.sock \
@ -440,8 +440,8 @@ to use the SSL configuration in the database::
--pidfile --detach --log-file --pidfile --detach --log-file
.. note:: .. note::
If you built Open vSwitch without SSL support, then omit ``--private-key``, If you built Open vSwitch without SSL/TLS support, then omit
``--certificate``, and ``--bootstrap-ca-cert``.) ``--private-key``, ``--certificate``, and ``--bootstrap-ca-cert``.)
Initialize the database using ovs-vsctl. This is only necessary the first time Initialize the database using ovs-vsctl. This is only necessary the first time
after you create the database with ovsdb-tool, though running it at any time is after you create the database with ovsdb-tool, though running it at any time is

View File

@ -665,7 +665,7 @@ the opposite arrangement as well.
OVSDB supports the following active connection methods: OVSDB supports the following active connection methods:
ssl:<host>:<port> ssl:<host>:<port>
The specified SSL or TLS <port> on the given <host>. The specified SSL/TLS <port> on the given <host>.
tcp:<host>:<port> tcp:<host>:<port>
The specified TCP <port> on the given <host>. The specified TCP <port> on the given <host>.
@ -692,7 +692,7 @@ unix:<file>
OVSDB supports the following passive connection methods: OVSDB supports the following passive connection methods:
pssl:<port>[:<ip>] pssl:<port>[:<ip>]
Listen on the given TCP <port> for SSL or TLS connections. By default, Listen on the given TCP <port> for SSL/TLS connections. By default,
connections are not bound to a particular local IP address. Specifying connections are not bound to a particular local IP address. Specifying
<ip> limits connections to those from the given IP. <ip> limits connections to those from the given IP.
@ -725,8 +725,8 @@ versions, we encourage users to specify a port number.
The ``ssl`` and ``pssl`` connection methods requires additional configuration The ``ssl`` and ``pssl`` connection methods requires additional configuration
through ``--private-key``, ``--certificate``, and ``--ca-cert`` command line through ``--private-key``, ``--certificate``, and ``--ca-cert`` command line
options. Open vSwitch can be built without SSL support, in which case these options. Open vSwitch can be built without SSL/TLS support, in which case
connection methods are not supported. these connection methods are not supported.
Database Life Cycle Database Life Cycle
=================== ===================

View File

@ -4,7 +4,7 @@
# #
# This is a space-delimited list of connection methods: # This is a space-delimited list of connection methods:
# #
# * "pssl:[PORT]": Listen for SSL connections on the specified PORT # * "pssl:[PORT]": Listen for SSL/TLS connections on the specified PORT
# (default: 6653). The private key, certificate, and CA certificate # (default: 6653). The private key, certificate, and CA certificate
# must be specified below. # must be specified below.
# #
@ -14,15 +14,15 @@
LISTEN="pssl:" LISTEN="pssl:"
# PRIVKEY: Name of file containing controller's private key. # PRIVKEY: Name of file containing controller's private key.
# Required if SSL enabled. # Required if SSL/TLS enabled.
PRIVKEY=/etc/openvswitch-testcontroller/privkey.pem PRIVKEY=/etc/openvswitch-testcontroller/privkey.pem
# CERT: Name of file containing certificate for private key. # CERT: Name of file containing certificate for private key.
# Required if SSL enabled. # Required if SSL/TLS enabled.
CERT=/etc/openvswitch-testcontroller/cert.pem CERT=/etc/openvswitch-testcontroller/cert.pem
# CACERT: Name of file containing switch CA certificate. # CACERT: Name of file containing switch CA certificate.
# Required if SSL enabled. # Required if SSL/TLS enabled.
CACERT=/etc/openvswitch-testcontroller/cacert.pem CACERT=/etc/openvswitch-testcontroller/cacert.pem
# Additional options to pass to ovs-testcontroller, e.g. "--hub" # Additional options to pass to ovs-testcontroller, e.g. "--hub"

View File

@ -607,7 +607,7 @@ reconnect_deadline__(const struct reconnect *fsm, long long int now)
* connections that quickly abort, so it is OK to call * connections that quickly abort, so it is OK to call
* reconnect_connected() after a low-level successful connection * reconnect_connected() after a low-level successful connection
* (e.g. connect()) even if the connection might soon abort due to a * (e.g. connect()) even if the connection might soon abort due to a
* failure at a high-level (e.g. SSL negotiation failure). * failure at a high-level (e.g. SSL/TLS negotiation failure).
* *
* - Passive client, RECONNECT_CONNECT: The client should try to listen for * - Passive client, RECONNECT_CONNECT: The client should try to listen for
* a connection, if it is not already listening. It should call * a connection, if it is not already listening. It should call

View File

@ -2,19 +2,19 @@
When \fIcacert.pem\fR exists, this option has the same effect as When \fIcacert.pem\fR exists, this option has the same effect as
\fB\-C\fR or \fB\-\-ca\-cert\fR. If it does not exist, then \fB\-C\fR or \fB\-\-ca\-cert\fR. If it does not exist, then
\fB\*(PN\fR will attempt to obtain the CA certificate from the \fB\*(PN\fR will attempt to obtain the CA certificate from the
SSL peer on its first SSL connection and save it to the named PEM SSL/TLS peer on its first SSL/TLS connection and save it to the named
file. If it is successful, it will immediately drop the connection PEM file. If it is successful, it will immediately drop the connection
and reconnect, and from then on all SSL connections must be and reconnect, and from then on all SSL/TLS connections must be
authenticated by a certificate signed by the CA certificate thus authenticated by a certificate signed by the CA certificate thus
obtained. obtained.
.IP .IP
\fBThis option exposes the SSL connection to a man-in-the-middle \fBThis option exposes the SSL/TLS connection to a man-in-the-middle
attack obtaining the initial CA certificate\fR, but it may be useful attack obtaining the initial CA certificate\fR, but it may be useful
for bootstrapping. for bootstrapping.
.IP .IP
This option is only useful if the SSL peer sends its CA certificate as This option is only useful if the SSL/TLS peer sends its CA certificate
part of the SSL certificate chain. The SSL protocol does not require as part of the SSL/TLS certificate chain. SSL/TLS protocols do not
the server to send the CA certificate. require the server to send the CA certificate.
.IP .IP
This option is mutually exclusive with \fB\-C\fR and This option is mutually exclusive with \fB\-C\fR and
\fB\-\-ca\-cert\fR. \fB\-\-ca\-cert\fR.

View File

@ -6,21 +6,21 @@
When <var>cacert.pem</var> exists, this option has the same effect When <var>cacert.pem</var> exists, this option has the same effect
as <code>-C</code> or <code>--ca-cert</code>. If it does not exist, as <code>-C</code> or <code>--ca-cert</code>. If it does not exist,
then the executable will attempt to obtain the CA certificate from the then the executable will attempt to obtain the CA certificate from the
SSL peer on its first SSL connection and save it to the named PEM SSL/TLS peer on its first SSL/TLS connection and save it to the named
file. If it is successful, it will immediately drop the connection PEM file. If it is successful, it will immediately drop the connection
and reconnect, and from then on all SSL connections must be and reconnect, and from then on all SSL/TLS connections must be
authenticated by a certificate signed by the CA certificate thus authenticated by a certificate signed by the CA certificate thus
obtained. obtained.
</p> </p>
<p> <p>
This option exposes the SSL connection to a man-in-the-middle This option exposes the SSL/TLS connection to a man-in-the-middle
attack obtaining the initial CA certificate, but it may be useful attack obtaining the initial CA certificate, but it may be useful
for bootstrapping. for bootstrapping.
</p> </p>
<p> <p>
This option is only useful if the SSL peer sends its CA certificate as This option is only useful if the SSL/TLS peer sends its CA certificate
part of the SSL certificate chain. The SSL protocol does not require as part of the SSL/TLS certificate chain. SSL/TLS protocols do not
the server to send the CA certificate. require the server to send the CA certificate.
</p> </p>
<p> <p>
This option is mutually exclusive with <code>-C</code> and This option is mutually exclusive with <code>-C</code> and

View File

@ -1,4 +1,4 @@
.IP "SSL connection options:" .IP "SSL/TLS connection options:"
[\fB\-\-ssl\-protocols=\fIprotocols\fR] [\fB\-\-ssl\-protocols=\fIprotocols\fR]
.br .br
[\fB\-\-ssl\-ciphers=\fIciphers\fR] [\fB\-\-ssl\-ciphers=\fIciphers\fR]

View File

@ -1,6 +1,6 @@
.IP "\fB\-\-ssl\-protocols=\fIprotocols\fR" .IP "\fB\-\-ssl\-protocols=\fIprotocols\fR"
Specifies, in a comma- or space-delimited list, the SSL protocols Specifies, in a comma- or space-delimited list, the SSL/TLS protocols
\fB\*(PN\fR will enable for SSL connections. Supported \fB\*(PN\fR will enable for SSL/TLS connections. Supported
\fIprotocols\fR include \fBTLSv1\fR (deprecated), \fBTLSv1.1\fR (deprecated), \fIprotocols\fR include \fBTLSv1\fR (deprecated), \fBTLSv1.1\fR (deprecated),
and \fBTLSv1.2\fR. and \fBTLSv1.2\fR.
Regardless of order, the highest protocol supported by both sides will Regardless of order, the highest protocol supported by both sides will
@ -9,5 +9,5 @@ omitted is \fBTLSv1.2\fR or later.
. .
.IP "\fB\-\-ssl\-ciphers=\fIciphers\fR" .IP "\fB\-\-ssl\-ciphers=\fIciphers\fR"
Specifies, in OpenSSL cipher string format, the ciphers \fB\*(PN\fR will Specifies, in OpenSSL cipher string format, the ciphers \fB\*(PN\fR will
support for SSL connections. The default when this option is omitted is support for SSL/TLS connections. The default when this option is omitted is
\fBHIGH:!aNULL:!MD5\fR. \fBHIGH:!aNULL:!MD5\fR.

View File

@ -1,13 +1,13 @@
.IP "\fB\-\-peer\-ca\-cert=\fIpeer-cacert.pem\fR" .IP "\fB\-\-peer\-ca\-cert=\fIpeer-cacert.pem\fR"
Specifies a PEM file that contains one or more additional certificates Specifies a PEM file that contains one or more additional certificates
to send to SSL peers. \fIpeer-cacert.pem\fR should be the CA to send to SSL/TLS peers. \fIpeer-cacert.pem\fR should be the CA
certificate used to sign \fB\*(PN\fR's own certificate, that is, the certificate used to sign \fB\*(PN\fR's own certificate, that is, the
certificate specified on \fB\-c\fR or \fB\-\-certificate\fR. If certificate specified on \fB\-c\fR or \fB\-\-certificate\fR. If
\fB\*(PN\fR's certificate is self-signed, then \fB\-\-certificate\fR \fB\*(PN\fR's certificate is self-signed, then \fB\-\-certificate\fR
and \fB\-\-peer\-ca\-cert\fR should specify the same file. and \fB\-\-peer\-ca\-cert\fR should specify the same file.
.IP .IP
This option is not useful in normal operation, because the SSL peer This option is not useful in normal operation, because the SSL/TLS peer
must already have the CA certificate for the peer to have any must already have the CA certificate for the peer to have any
confidence in \fB\*(PN\fR's identity. However, this offers a way for confidence in \fB\*(PN\fR's identity. However, this offers a way for
a new installation to bootstrap the CA certificate on its first SSL a new installation to bootstrap the CA certificate on its first SSL/TLS
connection. connection.

View File

@ -4,7 +4,7 @@
<dd> <dd>
<p> <p>
Specifies a PEM file that contains one or more additional certificates Specifies a PEM file that contains one or more additional certificates
to send to SSL peers. <var>peer-cacert.pem</var> should be the CA to send to SSL/TLS peers. <var>peer-cacert.pem</var> should be the CA
certificate used to sign the program's own certificate, that is, the certificate used to sign the program's own certificate, that is, the
certificate specified on <code>-c</code> or <code>--certificate</code>. certificate specified on <code>-c</code> or <code>--certificate</code>.
If the program's certificate is self-signed, then If the program's certificate is self-signed, then
@ -12,10 +12,10 @@
the same file. the same file.
</p> </p>
<p> <p>
This option is not useful in normal operation, because the SSL peer This option is not useful in normal operation, because the SSL/TLS peer
must already have the CA certificate for the peer to have any must already have the CA certificate for the peer to have any
confidence in the program's identity. However, this offers a way for confidence in the program's identity. However, this offers a way for
a new installation to bootstrap the CA certificate on its first SSL a new installation to bootstrap the CA certificate on its first SSL/TLS
connection. connection.
</p> </p>
</dd> </dd>

View File

@ -1,25 +1,26 @@
.IP "\fB\-p\fR \fIprivkey.pem\fR" .IP "\fB\-p\fR \fIprivkey.pem\fR"
.IQ "\fB\-\-private\-key=\fIprivkey.pem\fR" .IQ "\fB\-\-private\-key=\fIprivkey.pem\fR"
Specifies a PEM file containing the private key used as \fB\*(PN\fR's Specifies a PEM file containing the private key used as \fB\*(PN\fR's
identity for outgoing SSL connections. identity for outgoing SSL/TLS connections.
. .
.IP "\fB\-c\fR \fIcert.pem\fR" .IP "\fB\-c\fR \fIcert.pem\fR"
.IQ "\fB\-\-certificate=\fIcert.pem\fR" .IQ "\fB\-\-certificate=\fIcert.pem\fR"
Specifies a PEM file containing a certificate that certifies the Specifies a PEM file containing a certificate that certifies the
private key specified on \fB\-p\fR or \fB\-\-private\-key\fR to be private key specified on \fB\-p\fR or \fB\-\-private\-key\fR to be
trustworthy. The certificate must be signed by the certificate trustworthy. The certificate must be signed by the certificate
authority (CA) that the peer in SSL connections will use to verify it. authority (CA) that the peer in SSL/TLS connections will use to
verify it.
. .
.IP "\fB\-C\fR \fIcacert.pem\fR" .IP "\fB\-C\fR \fIcacert.pem\fR"
.IQ "\fB\-\-ca\-cert=\fIcacert.pem\fR" .IQ "\fB\-\-ca\-cert=\fIcacert.pem\fR"
Specifies a PEM file containing the CA certificate that \fB\*(PN\fR Specifies a PEM file containing the CA certificate that \fB\*(PN\fR
should use to verify certificates presented to it by SSL peers. (This should use to verify certificates presented to it by SSL/TLS peers.
may be the same certificate that SSL peers use to verify the (This may be the same certificate that SSL/TLS peers use to verify the
certificate specified on \fB\-c\fR or \fB\-\-certificate\fR, or it may certificate specified on \fB\-c\fR or \fB\-\-certificate\fR, or it may
be a different one, depending on the PKI design in use.) be a different one, depending on the PKI design in use.)
. .
.IP "\fB\-C none\fR" .IP "\fB\-C none\fR"
.IQ "\fB\-\-ca\-cert=none\fR" .IQ "\fB\-\-ca\-cert=none\fR"
Disables verification of certificates presented by SSL peers. This Disables verification of certificates presented by SSL/TLS peers. This
introduces a security risk, because it means that certificates cannot introduces a security risk, because it means that certificates cannot
be verified to be those of known trusted hosts. be verified to be those of known trusted hosts.

View File

@ -4,7 +4,7 @@
<dt><code>--private-key=</code><var>privkey.pem</var></dt> <dt><code>--private-key=</code><var>privkey.pem</var></dt>
<dd> <dd>
Specifies a PEM file containing the private key used as Specifies a PEM file containing the private key used as
identity for outgoing SSL connections. identity for outgoing SSL/TLS connections.
</dd> </dd>
<dt><code>-c</code> <var>cert.pem</var></dt> <dt><code>-c</code> <var>cert.pem</var></dt>
@ -13,15 +13,15 @@
Specifies a PEM file containing a certificate that certifies the Specifies a PEM file containing a certificate that certifies the
private key specified on <code>-p</code> or <code>--private-key</code> to be private key specified on <code>-p</code> or <code>--private-key</code> to be
trustworthy. The certificate must be signed by the certificate trustworthy. The certificate must be signed by the certificate
authority (CA) that the peer in SSL connections will use to verify it. authority (CA) that the peer in SSL/TLS connections will use to verify it.
</dd> </dd>
<dt><code>-C</code> <var>cacert.pem</var></dt> <dt><code>-C</code> <var>cacert.pem</var></dt>
<dt><code>--ca-cert=</code><var>cacert.pem</var></dt> <dt><code>--ca-cert=</code><var>cacert.pem</var></dt>
<dd> <dd>
Specifies a PEM file containing the CA certificate for Specifies a PEM file containing the CA certificate for
verifying certificates presented to this program by SSL peers. (This verifying certificates presented to this program by SSL/TLS peers. (This
may be the same certificate that SSL peers use to verify the may be the same certificate that SSL/TLS peers use to verify the
certificate specified on <code>-c</code> or <code>--certificate</code>, or it may certificate specified on <code>-c</code> or <code>--certificate</code>, or it may
be a different one, depending on the PKI design in use.) be a different one, depending on the PKI design in use.)
</dd> </dd>
@ -29,7 +29,7 @@
<dt><code>-C none</code></dt> <dt><code>-C none</code></dt>
<dt><code>--ca-cert=none</code></dt> <dt><code>--ca-cert=none</code></dt>
<dd> <dd>
Disables verification of certificates presented by SSL peers. This Disables verification of certificates presented by SSL/TLS peers. This
introduces a security risk, because it means that certificates cannot introduces a security risk, because it means that certificates cannot
be verified to be those of known trusted hosts. be verified to be those of known trusted hosts.
</dd> </dd>

View File

@ -31,8 +31,9 @@ stream_ssl_is_configured(void)
OVS_NO_RETURN static void OVS_NO_RETURN static void
nossl_option(const char *detail) nossl_option(const char *detail)
{ {
VLOG_FATAL("%s specified but Open vSwitch was built without SSL support", VLOG_FATAL(
detail); "%s specified but Open vSwitch was built without SSL/TLS support",
detail);
} }
void void
@ -78,13 +79,13 @@ stream_ssl_set_key_and_cert(const char *private_key_file,
void void
stream_ssl_set_protocols(const char *arg OVS_UNUSED) stream_ssl_set_protocols(const char *arg OVS_UNUSED)
{ {
/* Ignore this option since it seems harmless to set SSL protocols if SSL /* Ignore this option since it seems harmless to set SSL/TLS protocols if
* won't be used. */ * SSL/TLS won't be used. */
} }
void void
stream_ssl_set_ciphers(const char *arg OVS_UNUSED) stream_ssl_set_ciphers(const char *arg OVS_UNUSED)
{ {
/* Ignore this option since it seems harmless to set SSL ciphers if SSL /* Ignore this option since it seems harmless to set SSL/TLS ciphers if
* won't be used. */ * SSL/TLS won't be used. */
} }

View File

@ -64,7 +64,7 @@
VLOG_DEFINE_THIS_MODULE(stream_ssl); VLOG_DEFINE_THIS_MODULE(stream_ssl);
/* Active SSL. */ /* Active SSL/TLS. */
enum ssl_state { enum ssl_state {
STATE_TCP_CONNECTING, STATE_TCP_CONNECTING,
@ -567,7 +567,8 @@ ssl_connect(struct stream *stream)
* certificate, but that's more trouble than it's worth. These * certificate, but that's more trouble than it's worth. These
* connections will succeed the next time they retry, assuming that * connections will succeed the next time they retry, assuming that
* they have a certificate against the correct CA.) */ * they have a certificate against the correct CA.) */
VLOG_INFO("rejecting SSL connection during bootstrap race window"); VLOG_INFO(
"rejecting SSL/TLS connection during bootstrap race window");
return EPROTO; return EPROTO;
} else { } else {
#if OPENSSL_SUPPORTS_SNI #if OPENSSL_SUPPORTS_SNI
@ -671,7 +672,7 @@ interpret_ssl_error(const char *function, int ret, int error,
function, ovs_strerror(status)); function, ovs_strerror(status));
return status; return status;
} else { } else {
VLOG_WARN_RL(&rl, "%s: unexpected SSL connection close", VLOG_WARN_RL(&rl, "%s: unexpected SSL/TLS connection close",
function); function);
return EPROTO; return EPROTO;
} }
@ -873,7 +874,7 @@ const struct stream_class ssl_stream_class = {
ssl_wait, /* wait */ ssl_wait, /* wait */
}; };
/* Passive SSL. */ /* Passive SSL/TLS. */
struct pssl_pstream struct pssl_pstream
{ {
@ -1056,8 +1057,8 @@ do_ssl_init(void)
/* OpenSSL has a bunch of "connection methods": SSLv2_method(), /* OpenSSL has a bunch of "connection methods": SSLv2_method(),
* SSLv3_method(), TLSv1_method(), SSLv23_method(), ... Most of these * SSLv3_method(), TLSv1_method(), SSLv23_method(), ... Most of these
* support exactly one version of SSL, e.g. TLSv1_method() supports TLSv1 * support exactly one version of SSL/TLS, e.g. TLSv1_method() supports
* only, not any earlier *or later* version. The only exception is * TLSv1 only, not any earlier *or later* version. The only exception is
* SSLv23_method(), which in fact supports *any* version of SSL and TLS. * SSLv23_method(), which in fact supports *any* version of SSL and TLS.
* We don't want SSLv2 or SSLv3 support, so we turn it off below with * We don't want SSLv2 or SSLv3 support, so we turn it off below with
* SSL_CTX_set_options(). * SSL_CTX_set_options().
@ -1132,7 +1133,7 @@ tmp_dh_callback(SSL *ssl OVS_UNUSED, int is_export OVS_UNUSED, int keylength)
} }
#endif #endif
/* Returns true if SSL is at least partially configured. */ /* Returns true if SSL/TLS is at least partially configured. */
bool bool
stream_ssl_is_configured(void) stream_ssl_is_configured(void)
{ {
@ -1243,7 +1244,7 @@ stream_ssl_set_key_and_cert(const char *private_key_file,
} }
} }
/* Sets SSL ciphers based on string input. Aborts with an error message /* Sets SSL/TLS ciphers based on string input. Aborts with an error message
* if 'arg' is invalid. */ * if 'arg' is invalid. */
void void
stream_ssl_set_ciphers(const char *arg) stream_ssl_set_ciphers(const char *arg)
@ -1258,8 +1259,8 @@ stream_ssl_set_ciphers(const char *arg)
ssl_ciphers = xstrdup(arg); ssl_ciphers = xstrdup(arg);
} }
/* Set SSL protocols based on the string input. Aborts with an error message /* Set SSL/TLS protocols based on the string input. Aborts with an error
* if 'arg' is invalid. */ * message if 'arg' is invalid. */
void void
stream_ssl_set_protocols(const char *arg) stream_ssl_set_protocols(const char *arg)
{ {
@ -1289,7 +1290,7 @@ stream_ssl_set_protocols(const char *arg)
char *save_ptr = NULL; char *save_ptr = NULL;
char *word = strtok_r(s, " ,\t", &save_ptr); char *word = strtok_r(s, " ,\t", &save_ptr);
if (word == NULL) { if (word == NULL) {
VLOG_ERR("SSL protocol settings invalid"); VLOG_ERR("SSL/TLS protocol settings invalid");
goto exit; goto exit;
} }
while (word != NULL) { while (word != NULL) {
@ -1306,7 +1307,7 @@ stream_ssl_set_protocols(const char *arg)
} }
if (!no_flag) { if (!no_flag) {
VLOG_ERR("%s: SSL protocol not recognized", word); VLOG_ERR("%s: SSL/TLS protocol not recognized", word);
goto exit; goto exit;
} }
@ -1484,17 +1485,18 @@ stream_ssl_set_ca_cert_file__(const char *file_name,
} }
/* Sets 'file_name' as the name of the file from which to read the CA /* Sets 'file_name' as the name of the file from which to read the CA
* certificate used to verify the peer within SSL connections. If 'bootstrap' * certificate used to verify the peer within SSL/TLS connections. If
* is false, the file must exist. If 'bootstrap' is false, then the file is * 'bootstrap' is false, the file must exist. If 'bootstrap' is false, then
* read if it is exists; if it does not, then it will be created from the CA * the file is read if it is exists; if it does not, then it will be created
* certificate received from the peer on the first SSL connection. */ * from the CA certificate received from the peer on the first SSL/TLS
* connection. */
void void
stream_ssl_set_ca_cert_file(const char *file_name, bool bootstrap) stream_ssl_set_ca_cert_file(const char *file_name, bool bootstrap)
{ {
stream_ssl_set_ca_cert_file__(file_name, bootstrap, false); stream_ssl_set_ca_cert_file__(file_name, bootstrap, false);
} }
/* SSL protocol logging. */ /* SSL/TLS protocol logging. */
static const char * static const char *
ssl_alert_level_to_string(uint8_t type) ssl_alert_level_to_string(uint8_t type)

View File

@ -131,7 +131,7 @@ stream_usage(const char *name, bool active, bool passive,
"PORT at remote HOST\n"); "PORT at remote HOST\n");
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
printf(" ssl:HOST:PORT " printf(" ssl:HOST:PORT "
"SSL PORT at remote HOST\n"); "SSL/TLS PORT at remote HOST\n");
#endif #endif
printf(" unix:FILE " printf(" unix:FILE "
"Unix domain socket named FILE\n"); "Unix domain socket named FILE\n");
@ -143,14 +143,14 @@ stream_usage(const char *name, bool active, bool passive,
"listen to TCP PORT on IP\n"); "listen to TCP PORT on IP\n");
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
printf(" pssl:PORT[:IP] " printf(" pssl:PORT[:IP] "
"listen for SSL on PORT on IP\n"); "listen for SSL/TLS on PORT on IP\n");
#endif #endif
printf(" punix:FILE " printf(" punix:FILE "
"listen on Unix domain socket FILE\n"); "listen on Unix domain socket FILE\n");
} }
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
printf("PKI configuration (required to use SSL):\n" printf("PKI configuration (required to use SSL/TLS):\n"
" -p, --private-key=FILE file with private key\n" " -p, --private-key=FILE file with private key\n"
" -c, --certificate=FILE file with certificate for private key\n" " -c, --certificate=FILE file with certificate for private key\n"
" -C, --ca-cert=FILE file with peer CA certificate\n"); " -C, --ca-cert=FILE file with peer CA certificate\n");
@ -158,9 +158,9 @@ stream_usage(const char *name, bool active, bool passive,
printf(" --bootstrap-ca-cert=FILE file with peer CA certificate " printf(" --bootstrap-ca-cert=FILE file with peer CA certificate "
"to read or create\n"); "to read or create\n");
} }
printf("SSL options:\n" printf("SSL/TLS options:\n"
" --ssl-protocols=PROTOS list of SSL protocols to enable\n" " --ssl-protocols=PROTOS list of SSL/TLS protocols to enable\n"
" --ssl-ciphers=CIPHERS list of SSL ciphers to enable\n"); " --ssl-ciphers=CIPHERS list of SSL/TLS ciphers to enable\n");
#endif #endif
} }
@ -827,7 +827,7 @@ stream_content_type_to_string(enum stream_content_type type)
return "OpenFlow"; return "OpenFlow";
case STREAM_SSL: case STREAM_SSL:
return "SSL"; return "SSL/TLS";
} }
} }

View File

@ -143,7 +143,7 @@ vconn_usage(bool active, bool passive, bool bootstrap OVS_UNUSED)
"PORT (default: %d) at remote HOST\n", OFP_PORT); "PORT (default: %d) at remote HOST\n", OFP_PORT);
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
printf(" ssl:HOST[:PORT] " printf(" ssl:HOST[:PORT] "
"SSL PORT (default: %d) at remote HOST\n", OFP_PORT); "SSL/TLS PORT (default: %d) at remote HOST\n", OFP_PORT);
#endif #endif
printf(" unix:FILE Unix domain socket named FILE\n"); printf(" unix:FILE Unix domain socket named FILE\n");
} }
@ -155,7 +155,7 @@ vconn_usage(bool active, bool passive, bool bootstrap OVS_UNUSED)
OFP_PORT); OFP_PORT);
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
printf(" pssl:[PORT][:IP] " printf(" pssl:[PORT][:IP] "
"listen for SSL on PORT (default: %d) on IP\n", "listen for SSL/TLS on PORT (default: %d) on IP\n",
OFP_PORT); OFP_PORT);
#endif #endif
printf(" punix:FILE " printf(" punix:FILE "
@ -163,7 +163,7 @@ vconn_usage(bool active, bool passive, bool bootstrap OVS_UNUSED)
} }
#ifdef HAVE_OPENSSL #ifdef HAVE_OPENSSL
printf("PKI configuration (required to use SSL):\n" printf("PKI configuration (required to use SSL/TLS):\n"
" -p, --private-key=FILE file with private key\n" " -p, --private-key=FILE file with private key\n"
" -c, --certificate=FILE file with certificate for private key\n" " -c, --certificate=FILE file with certificate for private key\n"
" -C, --ca-cert=FILE file with peer CA certificate\n"); " -C, --ca-cert=FILE file with peer CA certificate\n");

View File

@ -280,10 +280,10 @@ AC_DEFUN([OVS_CHECK_OPENSSL],
$SSL_PKG_ERRORS $SSL_PKG_ERRORS
OpenFlow connections over SSL will not be supported. OpenFlow connections over SSL/TLS will not be supported.
(You may use --disable-ssl to suppress this warning.)]) (You may use --disable-ssl to suppress this warning.)])
else else
AC_MSG_ERROR([Cannot find openssl (use --disable-ssl to configure without SSL support)]) AC_MSG_ERROR([Cannot find openssl (use --disable-ssl to configure without SSL/TLS support)])
fi]) fi])
else else
HAVE_OPENSSL=no HAVE_OPENSSL=no

View File

@ -51,18 +51,18 @@
</dt> </dt>
<dd> <dd>
<p> <p>
The specified SSL <var>port</var> on the host at the given The specified SSL/TLS <var>port</var> on the host at the given
<var>host</var>, which can either be a DNS name (if built with <var>host</var>, which can either be a DNS name (if built with
unbound library) or an IP address. A valid SSL configuration must unbound library) or an IP address. A valid SSL/TLS configuration
be provided when this form is used, this configuration can be must be provided when this form is used, this configuration can
specified via command-line options or the <ref table="SSL"/> be specified via command-line options or the <ref table="SSL"/>
table. table.
</p> </p>
<p> <p>
If <var>port</var> is not specified, it defaults to 6640. If <var>port</var> is not specified, it defaults to 6640.
</p> </p>
<p> <p>
SSL support is an optional feature that is not always SSL/TLS support is an optional feature that is not always
built as part of Open vSwitch. built as part of Open vSwitch.
</p> </p>
</dd> </dd>
@ -87,7 +87,8 @@
</dt> </dt>
<dd> <dd>
<p> <p>
Listens for SSL connections on the specified TCP <var>port</var>. Listens for SSL/TLS connections on the specified TCP
<var>port</var>.
Specify 0 for <var>port</var> to have the kernel automatically Specify 0 for <var>port</var> to have the kernel automatically
choose an available port. If <var>host</var>, which can either choose an available port. If <var>host</var>, which can either
be a DNS name (if built with unbound library) or an IP address, be a DNS name (if built with unbound library) or an IP address,
@ -96,7 +97,7 @@
<var>host</var> is an IPv6 address, wrap in square brackets, <var>host</var> is an IPv6 address, wrap in square brackets,
e.g. <code>pssl:6640:[::1]</code>. If <var>host</var> is not e.g. <code>pssl:6640:[::1]</code>. If <var>host</var> is not
specified then it listens only on IPv4 (but not IPv6) addresses. specified then it listens only on IPv4 (but not IPv6) addresses.
A valid SSL configuration must be provided when this form is A valid SSL/TLS configuration must be provided when this form is
used, this can be specified either via command-line options or used, this can be specified either via command-line options or
the <ref table="SSL"/> table. the <ref table="SSL"/> table.
</p> </p>
@ -104,8 +105,8 @@
If <var>port</var> is not specified, it defaults to 6640. If <var>port</var> is not specified, it defaults to 6640.
</p> </p>
<p> <p>
SSL support is an optional feature that is not always built as SSL/TLS support is an optional feature that is not always built
part of Open vSwitch. as part of Open vSwitch.
</p> </p>
</dd> </dd>
<dt> <dt>

View File

@ -368,7 +368,7 @@ effect.
.SS "Public Key Infrastructure Options" .SS "Public Key Infrastructure Options"
.so lib/ssl.man .so lib/ssl.man
.so lib/ssl-bootstrap.man .so lib/ssl-bootstrap.man
.SS "SSL Connection Options" .SS "SSL/TLS Connection Options"
.so lib/ssl-connect.man .so lib/ssl-connect.man
.SS "Other Options" .SS "Other Options"
.so lib/ovs-replay.man .so lib/ovs-replay.man

View File

@ -67,7 +67,7 @@
VLOG_DEFINE_THIS_MODULE(ovsdb_server); VLOG_DEFINE_THIS_MODULE(ovsdb_server);
/* SSL configuration. */ /* SSL/TLS configuration. */
static char *private_key_file; static char *private_key_file;
static char *certificate_file; static char *certificate_file;
static char *ca_cert_file; static char *ca_cert_file;
@ -692,7 +692,7 @@ reconfigure_ovsdb_server(struct server_config *server_config)
} else { } else {
error = reconfigure_ssl(server_config->all_dbs); error = reconfigure_ssl(server_config->all_dbs);
if (error) { if (error) {
VLOG_WARN("failed to configure SSL: %s", error); VLOG_WARN("failed to configure SSL/TLS: %s", error);
res = false; res = false;
} }
} }

View File

@ -537,7 +537,7 @@ class Reconnect(object):
connections that quickly abort, so it is OK to call connections that quickly abort, so it is OK to call
self.connected() after a low-level successful connection self.connected() after a low-level successful connection
(e.g. connect()) even if the connection might soon abort due to a (e.g. connect()) even if the connection might soon abort due to a
failure at a high-level (e.g. SSL negotiation failure). failure at a high-level (e.g. SSL/TLS negotiation failure).
- Passive client, ovs.reconnect.CONNECT: The client should try to - Passive client, ovs.reconnect.CONNECT: The client should try to
listen for a connection, if it is not already listening. It listen for a connection, if it is not already listening. It

View File

@ -728,7 +728,7 @@ def usage(name):
Active %s connection methods: Active %s connection methods:
unix:FILE Unix domain socket named FILE unix:FILE Unix domain socket named FILE
tcp:HOST:PORT TCP socket to HOST with port no of PORT tcp:HOST:PORT TCP socket to HOST with port no of PORT
ssl:HOST:PORT SSL socket to HOST with port no of PORT ssl:HOST:PORT SSL/TLS socket to HOST with port no of PORT
Passive %s connection methods: Passive %s connection methods:
punix:FILE Listen on Unix domain socket FILE""" % (name, name) punix:FILE Listen on Unix domain socket FILE""" % (name, name)
@ -797,7 +797,7 @@ class SSLStream(Stream):
ctx.options |= ssl.OP_NO_SSLv3 ctx.options |= ssl.OP_NO_SSLv3
ctx.options |= ssl.OP_NO_TLSv1 ctx.options |= ssl.OP_NO_TLSv1
ctx.options |= ssl.OP_NO_TLSv1_1 ctx.options |= ssl.OP_NO_TLSv1_1
# If the client has not set the SSL configuration files # If the client has not set the SSL/TLS configuration files
# exception would be raised. # exception would be raised.
ctx.load_verify_locations(Stream._SSL_ca_cert_file) ctx.load_verify_locations(Stream._SSL_ca_cert_file)
ctx.load_cert_chain(Stream._SSL_certificate_file, ctx.load_cert_chain(Stream._SSL_certificate_file,
@ -821,7 +821,7 @@ class SSLStream(Stream):
if retval: if retval:
return retval return retval
# TCP Connection is successful. Now do the SSL handshake # TCP Connection is successful. Now do the SSL/TLS handshake.
try: try:
self.socket.do_handshake() self.socket.do_handshake()
except ssl.SSLWantReadError: except ssl.SSLWantReadError:
@ -864,5 +864,5 @@ class SSLStream(Stream):
if ssl: if ssl:
# Register SSL only if the OpenSSL module is available # Register SSL/TLS only if the OpenSSL module is available.
Stream.register_method("ssl", SSLStream) Stream.register_method("ssl", SSLStream)

View File

@ -46,7 +46,7 @@ s/unix#[0-9]*:/unix:/
# PARSE_LISTENING_PORT LOGFILE VARIABLE # PARSE_LISTENING_PORT LOGFILE VARIABLE
# #
# Parses the TCP or SSL port on which a server is listening from # Parses the TCP or SSL/TLS port on which a server is listening from
# LOGFILE, given that the server was told to listen on a kernel-chosen # LOGFILE, given that the server was told to listen on a kernel-chosen
# port, and assigns the port number to shell VARIABLE. You should # port, and assigns the port number to shell VARIABLE. You should
# specify the listening remote as ptcp:0:127.0.0.1 or # specify the listening remote as ptcp:0:127.0.0.1 or

View File

@ -256,14 +256,14 @@ m4_define([OVSDB_CHECK_IDL_TCP6_MULTIPLE_REMOTES_PY],
OVSDB_SERVER_SHUTDOWN OVSDB_SERVER_SHUTDOWN
AT_CLEANUP]) AT_CLEANUP])
# same as OVSDB_CHECK_IDL but uses the Python IDL implementation with SSL # same as OVSDB_CHECK_IDL but uses the Python IDL implementation with SSL/TLS
m4_define([OVSDB_CHECK_IDL_SSL_PY], m4_define([OVSDB_CHECK_IDL_SSL_PY],
[AT_SETUP([ovsdb-idl - $1 - Python3 - SSL]) [AT_SETUP([ovsdb-idl - $1 - Python3 - SSL/TLS])
AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
$PYTHON3 -c "import ssl" $PYTHON3 -c "import ssl"
SSL_PRESENT=$? SSL_PRESENT=$?
AT_SKIP_IF([test $SSL_PRESENT != 0]) AT_SKIP_IF([test $SSL_PRESENT != 0])
AT_KEYWORDS([ovsdb server idl positive Python with ssl socket $5]) AT_KEYWORDS([ovsdb server idl positive Python with ssl tls socket $5])
AT_CHECK([ovsdb-tool create db $abs_srcdir/idltest.ovsschema], AT_CHECK([ovsdb-tool create db $abs_srcdir/idltest.ovsschema],
[0], [stdout], [ignore]) [0], [stdout], [ignore])
PKIDIR=$abs_top_builddir/tests PKIDIR=$abs_top_builddir/tests
@ -288,7 +288,7 @@ m4_define([OVSDB_CHECK_IDL_SSL_PY],
AT_CHECK([sort stdout | uuidfilt]m4_if([$6],,, [[| $6]]), AT_CHECK([sort stdout | uuidfilt]m4_if([$6],,, [[| $6]]),
[0], [$4]) [0], [$4])
OVSDB_SERVER_SHUTDOWN([" OVSDB_SERVER_SHUTDOWN(["
/unexpected SSL connection close/d /unexpected SSL\/TLS connection close/d
/Protocol error/d /Protocol error/d
"]) "])
AT_CLEANUP]) AT_CLEANUP])
@ -2473,7 +2473,7 @@ m4_define([CHECK_STREAM_OPEN_BLOCK],
AT_CHECK([$2 PROTOCOL:$4:$WRONG_PORT $SSL_KEY_ARGS], [1], [ignore], AT_CHECK([$2 PROTOCOL:$4:$WRONG_PORT $SSL_KEY_ARGS], [1], [ignore],
[ignore]) [ignore])
OVSDB_SERVER_SHUTDOWN([" OVSDB_SERVER_SHUTDOWN(["
/unexpected SSL connection close/d /unexpected SSL\/TLS connection close/d
/Protocol error/d /Protocol error/d
"]) "])
AT_CHECK([$2 PROTOCOL:$4:$TCP_PORT $SSL_KEY_ARGS], [1], [ignore], [ignore]) AT_CHECK([$2 PROTOCOL:$4:$TCP_PORT $SSL_KEY_ARGS], [1], [ignore], [ignore])

View File

@ -824,8 +824,8 @@ OVSDB_SERVER_SHUTDOWN(["
"]) "])
AT_CLEANUP AT_CLEANUP
AT_SETUP([SSL db: implementation]) AT_SETUP([SSL/TLS db: implementation])
AT_KEYWORDS([ovsdb server positive ssl $5]) AT_KEYWORDS([ovsdb server positive ssl tls $5])
AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
# For this test, we pass PKIDIR through a ovsdb-tool transact and # For this test, we pass PKIDIR through a ovsdb-tool transact and
# msys on Windows does not convert the path style automatically. # msys on Windows does not convert the path style automatically.
@ -1604,7 +1604,7 @@ AT_CHECK([test $(get_memory_value atoms) -eq $db_atoms_before_conversion])
OVSDB_SERVER_SHUTDOWN OVSDB_SERVER_SHUTDOWN
AT_CLEANUP AT_CLEANUP
AT_BANNER([OVSDB -- ovsdb-server transactions (SSL IPv4 sockets)]) AT_BANNER([OVSDB -- ovsdb-server transactions (SSL/TLS IPv4 sockets)])
# OVSDB_CHECK_EXECUTION(TITLE, SCHEMA, TRANSACTIONS, OUTPUT, [KEYWORDS]) # OVSDB_CHECK_EXECUTION(TITLE, SCHEMA, TRANSACTIONS, OUTPUT, [KEYWORDS])
# #
@ -1622,7 +1622,7 @@ AT_BANNER([OVSDB -- ovsdb-server transactions (SSL IPv4 sockets)])
# TITLE is provided to AT_SETUP and KEYWORDS to AT_KEYWORDS. # TITLE is provided to AT_SETUP and KEYWORDS to AT_KEYWORDS.
m4_define([OVSDB_CHECK_EXECUTION], m4_define([OVSDB_CHECK_EXECUTION],
[AT_SETUP([$1]) [AT_SETUP([$1])
AT_KEYWORDS([ovsdb server positive ssl $5]) AT_KEYWORDS([ovsdb server positive ssl tls $5])
AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
$2 > schema $2 > schema
PKIDIR=$abs_top_builddir/tests PKIDIR=$abs_top_builddir/tests
@ -1640,7 +1640,7 @@ cat stdout >> output
EXECUTION_EXAMPLES EXECUTION_EXAMPLES
AT_BANNER([OVSDB -- ovsdb-server transactions (SSL IPv6 sockets)]) AT_BANNER([OVSDB -- ovsdb-server transactions (SSL/TLS IPv6 sockets)])
# OVSDB_CHECK_EXECUTION(TITLE, SCHEMA, TRANSACTIONS, OUTPUT, [KEYWORDS]) # OVSDB_CHECK_EXECUTION(TITLE, SCHEMA, TRANSACTIONS, OUTPUT, [KEYWORDS])
# #
@ -1658,7 +1658,7 @@ AT_BANNER([OVSDB -- ovsdb-server transactions (SSL IPv6 sockets)])
# TITLE is provided to AT_SETUP and KEYWORDS to AT_KEYWORDS. # TITLE is provided to AT_SETUP and KEYWORDS to AT_KEYWORDS.
m4_define([OVSDB_CHECK_EXECUTION], m4_define([OVSDB_CHECK_EXECUTION],
[AT_SETUP([$1]) [AT_SETUP([$1])
AT_KEYWORDS([ovsdb server positive ssl6 $5]) AT_KEYWORDS([ovsdb server positive ssl6 ssl tls $5])
AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
AT_SKIP_IF([test $HAVE_IPV6 = no]) AT_SKIP_IF([test $HAVE_IPV6 = no])
$2 > schema $2 > schema

View File

@ -745,7 +745,7 @@ def do_idl(schema_file, remote, *commands):
if remote.startswith("ssl:"): if remote.startswith("ssl:"):
if len(commands) < 3: if len(commands) < 3:
sys.stderr.write("SSL connection requires private key, " sys.stderr.write("SSL/TLS connection requires private key, "
"certificate for private key, and peer CA " "certificate for private key, and peer CA "
"certificate as arguments\n") "certificate as arguments\n")
sys.exit(1) sys.exit(1)
@ -970,7 +970,7 @@ def do_idl_cluster(schema_file, remote, pid, *commands):
if remote.startswith("ssl:"): if remote.startswith("ssl:"):
if len(commands) < 3: if len(commands) < 3:
sys.stderr.write("SSL connection requires private key, " sys.stderr.write("SSL/TLS connection requires private key, "
"certificate for private key, and peer CA " "certificate for private key, and peer CA "
"certificate as arguments\n") "certificate as arguments\n")
sys.exit(1) sys.exit(1)

View File

@ -722,8 +722,8 @@ Non-OpenFlow packets are ignored. By default, data on TCP ports 6633
and 6653 are considered to be OpenFlow. Specify one or more and 6653 are considered to be OpenFlow. Specify one or more
\fIport\fR arguments to override the default. \fIport\fR arguments to override the default.
.IP .IP
This command cannot usefully print SSL encrypted traffic. It does not This command cannot usefully print SSL/TLS encrypted traffic. It does
understand IPv6. not understand IPv6.
. .
.SS "Flow Syntax" .SS "Flow Syntax"
.PP .PP

View File

@ -155,7 +155,7 @@ Prints a brief overview of the database contents.
. .
.IP "\fBemer\-reset\fR" .IP "\fBemer\-reset\fR"
Reset the configuration into a clean state. It deconfigures OpenFlow Reset the configuration into a clean state. It deconfigures OpenFlow
controllers, OVSDB servers, and SSL, and deletes port mirroring, controllers, OVSDB servers, and SSL/TLS, and deletes port mirroring,
\fBfail_mode\fR, NetFlow, sFlow, and IPFIX configuration. This \fBfail_mode\fR, NetFlow, sFlow, and IPFIX configuration. This
command also removes all \fBother\-config\fR keys from all database command also removes all \fBother\-config\fR keys from all database
records, except that \fBother\-config:hwaddr\fR is preserved if it is records, except that \fBother\-config:hwaddr\fR is preserved if it is
@ -479,13 +479,13 @@ Sets the configured manager target or targets.
Each \fItarget\fR may be an OVSDB active or passive connection method, Each \fItarget\fR may be an OVSDB active or passive connection method,
e.g. \fBpssl:6640\fR, as described in \fBovsdb\fR(7). e.g. \fBpssl:6640\fR, as described in \fBovsdb\fR(7).
. .
.SS "SSL Configuration" .SS "SSL/TLS Configuration"
When \fBovs\-vswitchd\fR is configured to connect over SSL for management or When \fBovs\-vswitchd\fR is configured to connect over SSL/TLS for management
controller connectivity, the following parameters are required: or controller connectivity, the following parameters are required:
.TP .TP
\fIprivate-key\fR \fIprivate-key\fR
Specifies a PEM file containing the private key used as the virtual Specifies a PEM file containing the private key used as the virtual
switch's identity for SSL connections to the controller. switch's identity for SSL/TLS connections to the controller.
.TP .TP
\fIcertificate\fR \fIcertificate\fR
Specifies a PEM file containing a certificate, signed by the Specifies a PEM file containing a certificate, signed by the
@ -500,37 +500,37 @@ the virtual switch is connected to a trustworthy controller.
These files are read only once, at \fBovs\-vswitchd\fR startup time. If These files are read only once, at \fBovs\-vswitchd\fR startup time. If
their contents change, \fBovs\-vswitchd\fR must be killed and restarted. their contents change, \fBovs\-vswitchd\fR must be killed and restarted.
.PP .PP
These SSL settings apply to all SSL connections made by the virtual These SSL/TLS settings apply to all SSL/TLS connections made by the virtual
switch. switch.
. .
.IP "\fBget\-ssl\fR" .IP "\fBget\-ssl\fR"
Prints the SSL configuration. Prints the SSL/TLS configuration.
. .
.IP "\fBdel\-ssl\fR" .IP "\fBdel\-ssl\fR"
Deletes the current SSL configuration. Deletes the current SSL/TLS configuration.
. .
.IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR \fIca-cert\fR" .IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR \fIca-cert\fR"
Sets the SSL configuration. The \fB\-\-bootstrap\fR option is described Sets the SSL/TLS configuration. The \fB\-\-bootstrap\fR option is described
below. below.
. .
.ST "CA Certificate Bootstrap" .ST "CA Certificate Bootstrap"
.PP .PP
Ordinarily, all of the files named in the SSL configuration must exist Ordinarily, all of the files named in the SSL/TLS configuration must exist
when \fBovs\-vswitchd\fR starts. However, if the \fIca-cert\fR file when \fBovs\-vswitchd\fR starts. However, if the \fIca-cert\fR file
does not exist and the \fB\-\-bootstrap\fR does not exist and the \fB\-\-bootstrap\fR
option is given, then \fBovs\-vswitchd\fR will attempt to obtain the option is given, then \fBovs\-vswitchd\fR will attempt to obtain the
CA certificate from the controller on its first SSL connection and CA certificate from the controller on its first SSL/TLS connection and
save it to the named PEM file. If it is successful, it will save it to the named PEM file. If it is successful, it will
immediately drop the connection and reconnect, and from then on all immediately drop the connection and reconnect, and from then on all
SSL connections must be authenticated by a certificate signed by the SSL/TLS connections must be authenticated by a certificate signed by the
CA certificate thus obtained. CA certificate thus obtained.
.PP .PP
\fBThis option exposes the SSL connection to a man-in-the-middle \fBThis option exposes the SSL/TLS connection to a man-in-the-middle
attack obtaining the initial CA certificate\fR, but it may be useful attack obtaining the initial CA certificate\fR, but it may be useful
for bootstrapping. for bootstrapping.
.PP .PP
This option is only useful if the controller sends its CA certificate This option is only useful if the controller sends its CA certificate
as part of the SSL certificate chain. The SSL protocol does not as part of the SSL/TLS certificate chain. SSL/TLS protocols do not
require the controller to send the CA certificate. require the controller to send the CA certificate.
. .
.SS "Auto-Attach Commands" .SS "Auto-Attach Commands"

View File

@ -429,10 +429,10 @@ Manager commands:\n\
[--inactivity-probe=MSECS]\n\ [--inactivity-probe=MSECS]\n\
set-manager TARGET... set the list of managers to TARGET...\n\ set-manager TARGET... set the list of managers to TARGET...\n\
\n\ \n\
SSL commands:\n\ SSL/TLS commands:\n\
get-ssl print the SSL configuration\n\ get-ssl print the SSL/TLS configuration\n\
del-ssl delete the SSL configuration\n\ del-ssl delete the SSL/TLS configuration\n\
set-ssl PRIV-KEY CERT CA-CERT set the SSL configuration\n\ set-ssl PRIV-KEY CERT CA-CERT set the SSL/TLS configuration\n\
\n\ \n\
Auto Attach commands:\n\ Auto Attach commands:\n\
add-aa-mapping BRIDGE I-SID VLAN add Auto Attach mapping to BRIDGE\n\ add-aa-mapping BRIDGE I-SID VLAN add Auto Attach mapping to BRIDGE\n\
@ -3254,7 +3254,7 @@ static const struct ctl_command_syntax vsctl_commands[] = {
{"set-manager", 1, INT_MAX, "TARGET...", pre_manager, cmd_set_manager, {"set-manager", 1, INT_MAX, "TARGET...", pre_manager, cmd_set_manager,
NULL, "--inactivity-probe=", RW}, NULL, "--inactivity-probe=", RW},
/* SSL commands. */ /* SSL/TLS commands. */
{"get-ssl", 0, 0, "", pre_cmd_get_ssl, cmd_get_ssl, NULL, "", RO}, {"get-ssl", 0, 0, "", pre_cmd_get_ssl, cmd_get_ssl, NULL, "", RO},
{"del-ssl", 0, 0, "", pre_cmd_del_ssl, cmd_del_ssl, NULL, "", RW}, {"del-ssl", 0, 0, "", pre_cmd_del_ssl, cmd_del_ssl, NULL, "", RW},
{"set-ssl", 3, 3, "PRIVATE-KEY CERTIFICATE CA-CERT", pre_cmd_set_ssl, {"set-ssl", 3, 3, "PRIVATE-KEY CERTIFICATE CA-CERT", pre_cmd_set_ssl,

View File

@ -3417,12 +3417,13 @@ bridge_run(void)
bridge_run__(); bridge_run__();
/* Re-configure SSL. We do this on every trip through the main loop, /* Re-configure SSL/TLS. We do this on every trip through the main loop,
* instead of just when the database changes, because the contents of the * instead of just when the database changes, because the contents of the
* key and certificate files can change without the database changing. * key and certificate files can change without the database changing.
* *
* We do this before bridge_reconfigure() because that function might * We do this before bridge_reconfigure() because that function might
* initiate SSL connections and thus requires SSL to be configured. */ * initiate SSL/TLS connections and thus requires SSL/TLS to be configured.
*/
if (cfg && cfg->ssl) { if (cfg && cfg->ssl) {
const struct ovsrec_ssl *ssl = cfg->ssl; const struct ovsrec_ssl *ssl = cfg->ssl;

View File

@ -64,7 +64,7 @@
</column> </column>
<column name="ssl"> <column name="ssl">
SSL used globally by the daemon. SSL/TLS used globally by the daemon.
</column> </column>
<column name="external_ids" key="system-id"> <column name="external_ids" key="system-id">
@ -5487,14 +5487,14 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
<dl> <dl>
<dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt> <dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd> <dd>
<p>The specified SSL <var>port</var> on the host at the <p>The specified SSL/TLS <var>port</var> on the host at the
given <var>host</var>, which can either be a DNS name (if built given <var>host</var>, which can either be a DNS name (if built
with unbound library) or an IP address. The <ref table="Open_vSwitch" with unbound library) or an IP address. The <ref table="Open_vSwitch"
column="ssl"/> column in the <ref table="Open_vSwitch"/> table must column="ssl"/> column in the <ref table="Open_vSwitch"/> table must
point to a valid SSL configuration when this form is used.</p> point to a valid SSL/TLS configuration when this form is used.</p>
<p>If <var>port</var> is not specified, it defaults to 6653.</p> <p>If <var>port</var> is not specified, it defaults to 6653.</p>
<p>SSL support is an optional feature that is not always built as <p>SSL/TLS support is an optional feature that is not always built
part of Open vSwitch.</p> as part of Open vSwitch.</p>
</dd> </dd>
<dt><code>tcp:<var>host</var></code>[<code>:<var>port</var></code>]</dt> <dt><code>tcp:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd> <dd>
@ -5517,7 +5517,8 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
<dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt> <dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd> <dd>
<p> <p>
Listens for SSL connections on the specified TCP <var>port</var>. Listens for SSL/TLS connections on the specified TCP
<var>port</var>.
If <var>host</var>, which can either be a DNS name (if built with If <var>host</var>, which can either be a DNS name (if built with
unbound library) or an IP address, is specified, then connections unbound library) or an IP address, is specified, then connections
are restricted to the resolved or specified local IP address are restricted to the resolved or specified local IP address
@ -5530,14 +5531,14 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
IPv4 (but not IPv6) addresses. The IPv4 (but not IPv6) addresses. The
<ref table="Open_vSwitch" column="ssl"/> <ref table="Open_vSwitch" column="ssl"/>
column in the <ref table="Open_vSwitch"/> table must point to a column in the <ref table="Open_vSwitch"/> table must point to a
valid SSL configuration when this form is used. valid SSL/TLS configuration when this form is used.
</p> </p>
<p> <p>
If <var>port</var> is not specified, it currently to 6653. If <var>port</var> is not specified, it currently to 6653.
</p> </p>
<p> <p>
SSL support is an optional feature that is not always built as SSL/TLS support is an optional feature that is not always built
part of Open vSwitch. as part of Open vSwitch.
</p> </p>
</dd> </dd>
<dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt> <dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
@ -5907,18 +5908,18 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
<dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt> <dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd> <dd>
<p> <p>
The specified SSL <var>port</var> on the host at the given The specified SSL/TLS <var>port</var> on the host at the given
<var>host</var>, which can either be a DNS name (if built with <var>host</var>, which can either be a DNS name (if built with
unbound library) or an IP address. The <ref table="Open_vSwitch" unbound library) or an IP address. The <ref table="Open_vSwitch"
column="ssl"/> column in the <ref table="Open_vSwitch"/> column="ssl"/> column in the <ref table="Open_vSwitch"/>
table must point to a valid SSL configuration when this table must point to a valid SSL/TLS configuration when this
form is used. form is used.
</p> </p>
<p> <p>
If <var>port</var> is not specified, it defaults to 6640. If <var>port</var> is not specified, it defaults to 6640.
</p> </p>
<p> <p>
SSL support is an optional feature that is not always SSL/TLS support is an optional feature that is not always
built as part of Open vSwitch. built as part of Open vSwitch.
</p> </p>
</dd> </dd>
@ -5939,7 +5940,8 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
<dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt> <dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd> <dd>
<p> <p>
Listens for SSL connections on the specified TCP <var>port</var>. Listens for SSL/TLS connections on the specified TCP
<var>port</var>.
Specify 0 for <var>port</var> to have the kernel automatically Specify 0 for <var>port</var> to have the kernel automatically
choose an available port. If <var>host</var>, which can either choose an available port. If <var>host</var>, which can either
be a DNS name (if built with unbound library) or an IP address, be a DNS name (if built with unbound library) or an IP address,
@ -5949,15 +5951,15 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
e.g. <code>pssl:6640:[::1]</code>. If <var>host</var> is not e.g. <code>pssl:6640:[::1]</code>. If <var>host</var> is not
specified then it listens only on IPv4 (but not IPv6) addresses. specified then it listens only on IPv4 (but not IPv6) addresses.
The <ref table="Open_vSwitch" column="ssl"/> column in the <ref The <ref table="Open_vSwitch" column="ssl"/> column in the <ref
table="Open_vSwitch"/> table must point to a valid SSL table="Open_vSwitch"/> table must point to a valid SSL/TLS
configuration when this form is used. configuration when this form is used.
</p> </p>
<p> <p>
If <var>port</var> is not specified, it defaults to 6640. If <var>port</var> is not specified, it defaults to 6640.
</p> </p>
<p> <p>
SSL support is an optional feature that is not always built as SSL/TLS support is an optional feature that is not always built
part of Open vSwitch. as part of Open vSwitch.
</p> </p>
</dd> </dd>
<dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt> <dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
@ -6736,11 +6738,11 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
</table> </table>
<table name="SSL"> <table name="SSL">
SSL configuration for an Open_vSwitch. SSL/TLS configuration for an Open_vSwitch.
<column name="private_key"> <column name="private_key">
Name of a PEM file containing the private key used as the switch's Name of a PEM file containing the private key used as the switch's
identity for SSL connections to the controller. identity for SSL/TLS connections to the controller.
</column> </column>
<column name="certificate"> <column name="certificate">
@ -6757,12 +6759,12 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
<column name="bootstrap_ca_cert"> <column name="bootstrap_ca_cert">
If set to <code>true</code>, then Open vSwitch will attempt to If set to <code>true</code>, then Open vSwitch will attempt to
obtain the CA certificate from the controller on its first SSL obtain the CA certificate from the controller on its first SSL/TLS
connection and save it to the named PEM file. If it is successful, connection and save it to the named PEM file. If it is successful,
it will immediately drop the connection and reconnect, and from then it will immediately drop the connection and reconnect, and from then
on all SSL connections must be authenticated by a certificate signed on all SSL/TLS connections must be authenticated by a certificate signed
by the CA certificate thus obtained. <em>This option exposes the by the CA certificate thus obtained. <em>This option exposes the
SSL connection to a man-in-the-middle attack obtaining the initial SSL/TLS connection to a man-in-the-middle attack obtaining the initial
CA certificate.</em> It may still be useful for bootstrapping. CA certificate.</em> It may still be useful for bootstrapping.
</column> </column>

View File

@ -119,12 +119,12 @@
<dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt> <dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd> <dd>
<p> <p>
The specified SSL <var>port</var> (default: 6640) on the given The specified SSL/TLS <var>port</var> (default: 6640) on the
<var>host</var>, which can either be a DNS name (if built with given <var>host</var>, which can either be a DNS name (if built
unbound library) or an IP address. with unbound library) or an IP address.
</p> </p>
<p> <p>
SSL key and certificate configuration happens outside the SSL/TLS key and certificate configuration happens outside the
database. database.
</p> </p>
</dd> </dd>
@ -138,11 +138,11 @@
<dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt> <dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd> <dd>
<p> <p>
Listens for SSL connections on the specified TCP <var>port</var> Listens for SSL/TLS connections on the specified TCP
(default: 6640). If <var>host</var>, which can either be a DNS <var>port</var> (default: 6640). If <var>host</var>, which can
name (if built with unbound library) or an IP address, is either be a DNS name (if built with unbound library) or an IP
specified, then connections are restricted to the resolved or address, is specified, then connections are restricted to the
specified local IP address. resolved or specified local IP address.
</p> </p>
</dd> </dd>
<dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt> <dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>