mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-22 09:58:01 +00:00
Code Issues Releases Wiki Activity

treewide: Refer to SSL configuration as SSL/TLS.

Browse Source 
SSL protocol family is not actually being used or supported in OVS.
What we use is actually TLS.

Terms "SSL" and "TLS" are often used interchangeably in modern
software and refer to the same thing, which is normally just TLS.

Let's replace "SSL" with "SSL/TLS" in documentation and user-visible
messages, where it makes sense.  This may make it more clear what
is meant for a less experienced user that may look for TLS support
in OVS and not find much.

We're not changing any actual code, because, for example, most of
OpenSSL APIs are using just SSL, for historical reasons.  And our
database is using "SSL" table.  We may consider migrating to "TLS"
naming for user-visible configuration like command line arguments
and database names, but that will require extra work on making sure
upgrades can still work.  In general, a slightly more clear
documentation should be enough for now, especially since term SSL
is still widely used in the industry.

"SSL/TLS" is chosen over "TLS/SSL" simply because our user-visible
configuration knobs are using "SSL" naming, e.g. '--ssl-cyphers'
or 'ovs-vsctl set-ssl'.  So, it might be less confusing this way.
We may switch that, if we decide on re-working the user-visible
commands towards "TLS" naming, or providing both alternatives.

Some other projects did similar changes.  For example, the python ssl
library is now using "TLS/SSL" in the documentation whenever possible.
Same goes for OpenSSL itself.

Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
This commit is contained in:
Ilya Maximets 2024-12-09 17:38:45 +01:00
parent 923a80d1d1
commit 49f299313d
33 changed files with 212 additions and 203 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
Documentation/howto/ssl.rst
View File

@ -21,18 +21,18 @@
Avoid deeper levels because they do not render well.
=====================
Open vSwitch with SSL
=====================
=========================
Open vSwitch with SSL/TLS
=========================
If you plan to configure Open vSwitch to connect across the network to an
OpenFlow controller, then we recommend that you build Open vSwitch with
OpenSSL. SSL support ensures integrity and confidentiality of the OpenFlow
OpenSSL. SSL/TLS support ensures integrity and confidentiality of the OpenFlow
connections, increasing network security.
This document describes how to configure an Open vSwitch to connect to an
OpenFlow controller over SSL. Refer to :doc:`/intro/install/general`. for
instructions on building Open vSwitch with SSL support.
OpenFlow controller over SSL/TLS. Refer to :doc:`/intro/install/general`. for
instructions on building Open vSwitch with SSL/TLS support.
Open vSwitch uses TLS version 1.2 or later (TLSv1.2), as specified by
RFC 5246. TLSv1.2 was released in August 2008, so all current software and
@ -41,16 +41,16 @@ hardware should implement it.
This document assumes basic familiarity with public-key cryptography and
public-key infrastructure.
SSL Concepts for OpenFlow
-------------------------
SSL/TLS Concepts for OpenFlow
-----------------------------
This section is an introduction to the public-key infrastructure architectures
that Open vSwitch supports for SSL authentication.
that Open vSwitch supports for SSL/TLS authentication.
To connect over SSL, every Open vSwitch must have a unique private/public key
pair and a certificate that signs that public key. Typically, the Open vSwitch
generates its own public/private key pair. There are two common ways to obtain
a certificate for a switch:
To connect over SSL/TLS, every Open vSwitch must have a unique private/public
key pair and a certificate that signs that public key. Typically, the
Open vSwitch generates its own public/private key pair. There are two common
ways to obtain a certificate for a switch:
* Self-signed certificates: The Open vSwitch signs its certificate with its own
private key. In this case, each switch must be individually approved by the
@ -149,9 +149,9 @@ created, because they could be used to impersonate the controller.
Switch Key Generation with Self-Signed Certificates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you are using self-signed certificates (see "SSL Concepts for OpenFlow"),
this is one way to create an acceptable certificate for your controller to
approve.
If you are using self-signed certificates (see
`SSL/TLS Concepts for OpenFlow`_), this is one way to create an acceptable
certificate for your controller to approve.
1. Run the following command on the Open vSwitch itself::
@ -178,15 +178,15 @@ approve.
have to use CA certificate bootstrapping when you configure Open vSwitch in
the next step.)
3. Configure Open vSwitch to use the keys and certificates (see "Configuring
SSL Support", below).
3. Configure Open vSwitch to use the keys and certificates (see
`Configuring SSL/TLS Support`_, below).
Switch Key Generation with a Switch PKI (Easy Method)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you are using a switch PKI (see "SSL Concepts for OpenFlow", above), this
method of switch key generation is a little easier than the alternate method
described below, but it is also a little less secure because it requires
If you are using a switch PKI (see `SSL/TLS Concepts for OpenFlow`_, above),
this method of switch key generation is a little easier than the alternate
method described below, but it is also a little less secure because it requires
copying a sensitive private key from file from the machine hosting the PKI to
the switch.
@ -215,15 +215,15 @@ the switch.
Don't delete controllerca/cacert.pem! It is not security-sensitive and
you will need it to configure additional switches.
4. Configure Open vSwitch to use the keys and certificates (see "Configuring
SSL Support", below).
4. Configure Open vSwitch to use the keys and certificates (see
`Configuring SSL/TLS Support`_, below).
Switch Key Generation with a Switch PKI (More Secure)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
If you are using a switch PKI (see "SSL Concepts for OpenFlow", above), then,
compared to the previous method, the method described here takes a little more
work, but it does not involve copying the private key from one machine to
If you are using a switch PKI (see `SSL/TLS Concepts for OpenFlow`_, above),
then, compared to the previous method, the method described here takes a little
more work, but it does not involve copying the private key from one machine to
another, so it may also be a little more secure.
1. Run the following command on the Open vSwitch itself::
@ -274,15 +274,15 @@ another, so it may also be a little more secure.
Don't delete `controllerca/cacert.pem`! It is not security-sensitive and
you will need it to configure additional switches.
5. Configure Open vSwitch to use the keys and certificates (see "Configuring
SSL Support", below).
5. Configure Open vSwitch to use the keys and certificates (see
`Configuring SSL/TLS Support`_, below).
Configuring SSL Support
-----------------------
Configuring SSL/TLS Support
---------------------------
SSL configuration requires three additional configuration files. The first two
of these are unique to each Open vSwitch. If you used the instructions above
to build your PKI, then these files will be named `sc-privkey.pem` and
SSL/TLS configuration requires three additional configuration files. The first
two of these are unique to each Open vSwitch. If you used the instructions
above to build your PKI, then these files will be named `sc-privkey.pem` and
`sc-cert.pem`, respectively:
- A private key file, which contains the private half of an RSA or DSA key.
@ -320,17 +320,18 @@ above. You should use absolute file names (ones that begin with ``/``),
because ovs-vswitchd's current directory is unrelated to the one from which you
run ovs-vsctl.
If you are using self-signed certificates (see "SSL Concepts for OpenFlow") and
you did not copy controllerca/cacert.pem from the PKI machine to the Open
vSwitch, then add the ``--bootstrap`` option, e.g.::
If you are using self-signed certificates (see
`SSL/TLS Concepts for OpenFlow`_) and you did not copy controllerca/cacert.pem
from the PKI machine to the Open vSwitch, then add the ``--bootstrap`` option,
e.g.::
$ ovs-vsctl -- --bootstrap set-ssl /etc/openvswitch/sc-privkey.pem \
/etc/openvswitch/sc-cert.pem /etc/openvswitch/cacert.pem
After you have added all of these configuration keys, you may specify ``ssl:``
connection methods elsewhere in the configuration database. ``tcp:`` connection
methods are still allowed even after SSL has been configured, so for security
you should use only ``ssl:`` connections.
methods are still allowed even after SSL/TLS has been configured, so for
security you should use only ``ssl:`` connections.
Reporting Bugs
--------------

6
Documentation/intro/install/general.rst
View File

@ -429,7 +429,7 @@ database that it can use::
Configure ovsdb-server to use database created above, to listen on a Unix
domain socket, to connect to any managers specified in the database itself, and
to use the SSL configuration in the database::
to use the SSL/TLS configuration in the database::
$ mkdir -p /usr/local/var/run/openvswitch
$ ovsdb-server --remote=punix:/usr/local/var/run/openvswitch/db.sock \
@ -440,8 +440,8 @@ to use the SSL configuration in the database::
--pidfile --detach --log-file
.. note::
If you built Open vSwitch without SSL support, then omit ``--private-key``,
``--certificate``, and ``--bootstrap-ca-cert``.)
If you built Open vSwitch without SSL/TLS support, then omit
``--private-key``, ``--certificate``, and ``--bootstrap-ca-cert``.)
Initialize the database using ovs-vsctl. This is only necessary the first time
after you create the database with ovsdb-tool, though running it at any time is

8
Documentation/ref/ovsdb.7.rst
View File

@ -665,7 +665,7 @@ the opposite arrangement as well.
OVSDB supports the following active connection methods:
ssl:<host>:<port>
The specified SSL or TLS <port> on the given <host>.
The specified SSL/TLS <port> on the given <host>.
tcp:<host>:<port>
The specified TCP <port> on the given <host>.
@ -692,7 +692,7 @@ unix:<file>
OVSDB supports the following passive connection methods:
pssl:<port>[:<ip>]
Listen on the given TCP <port> for SSL or TLS connections. By default,
Listen on the given TCP <port> for SSL/TLS connections. By default,
connections are not bound to a particular local IP address. Specifying
<ip> limits connections to those from the given IP.
@ -725,8 +725,8 @@ versions, we encourage users to specify a port number.
The ``ssl`` and ``pssl`` connection methods requires additional configuration
through ``--private-key``, ``--certificate``, and ``--ca-cert`` command line
options. Open vSwitch can be built without SSL support, in which case these
connection methods are not supported.
options. Open vSwitch can be built without SSL/TLS support, in which case
these connection methods are not supported.
Database Life Cycle
===================

8
debian/openvswitch-testcontroller.default vendored
View File

@ -4,7 +4,7 @@
#
# This is a space-delimited list of connection methods:
#
# * "pssl:[PORT]": Listen for SSL connections on the specified PORT
# * "pssl:[PORT]": Listen for SSL/TLS connections on the specified PORT
# (default: 6653). The private key, certificate, and CA certificate
# must be specified below.
#
@ -14,15 +14,15 @@
LISTEN="pssl:"
# PRIVKEY: Name of file containing controller's private key.
# Required if SSL enabled.
# Required if SSL/TLS enabled.
PRIVKEY=/etc/openvswitch-testcontroller/privkey.pem
# CERT: Name of file containing certificate for private key.
# Required if SSL enabled.
# Required if SSL/TLS enabled.
CERT=/etc/openvswitch-testcontroller/cert.pem
# CACERT: Name of file containing switch CA certificate.
# Required if SSL enabled.
# Required if SSL/TLS enabled.
CACERT=/etc/openvswitch-testcontroller/cacert.pem
# Additional options to pass to ovs-testcontroller, e.g. "--hub"

2
lib/reconnect.c
View File

@ -607,7 +607,7 @@ reconnect_deadline__(const struct reconnect *fsm, long long int now)
* connections that quickly abort, so it is OK to call
* reconnect_connected() after a low-level successful connection
* (e.g. connect()) even if the connection might soon abort due to a
* failure at a high-level (e.g. SSL negotiation failure).
* failure at a high-level (e.g. SSL/TLS negotiation failure).
*
* - Passive client, RECONNECT_CONNECT: The client should try to listen for
* a connection, if it is not already listening. It should call

14
lib/ssl-bootstrap.man
View File

@ -2,19 +2,19 @@
When \fIcacert.pem\fR exists, this option has the same effect as
\fB\-C\fR or \fB\-\-ca\-cert\fR. If it does not exist, then
\fB\*(PN\fR will attempt to obtain the CA certificate from the
SSL peer on its first SSL connection and save it to the named PEM
file. If it is successful, it will immediately drop the connection
and reconnect, and from then on all SSL connections must be
SSL/TLS peer on its first SSL/TLS connection and save it to the named
PEM file. If it is successful, it will immediately drop the connection
and reconnect, and from then on all SSL/TLS connections must be
authenticated by a certificate signed by the CA certificate thus
obtained.
.IP
\fBThis option exposes the SSL connection to a man-in-the-middle
\fBThis option exposes the SSL/TLS connection to a man-in-the-middle
attack obtaining the initial CA certificate\fR, but it may be useful
for bootstrapping.
.IP
This option is only useful if the SSL peer sends its CA certificate as
part of the SSL certificate chain. The SSL protocol does not require
the server to send the CA certificate.
This option is only useful if the SSL/TLS peer sends its CA certificate
as part of the SSL/TLS certificate chain. SSL/TLS protocols do not
require the server to send the CA certificate.
.IP
This option is mutually exclusive with \fB\-C\fR and
\fB\-\-ca\-cert\fR.

14
lib/ssl-bootstrap.xml
View File

@ -6,21 +6,21 @@
When <var>cacert.pem</var> exists, this option has the same effect
as <code>-C</code> or <code>--ca-cert</code>. If it does not exist,
then the executable will attempt to obtain the CA certificate from the
SSL peer on its first SSL connection and save it to the named PEM
file. If it is successful, it will immediately drop the connection
and reconnect, and from then on all SSL connections must be
SSL/TLS peer on its first SSL/TLS connection and save it to the named
PEM file. If it is successful, it will immediately drop the connection
and reconnect, and from then on all SSL/TLS connections must be
authenticated by a certificate signed by the CA certificate thus
obtained.
</p>
<p>
This option exposes the SSL connection to a man-in-the-middle
This option exposes the SSL/TLS connection to a man-in-the-middle
attack obtaining the initial CA certificate, but it may be useful
for bootstrapping.
</p>
<p>
This option is only useful if the SSL peer sends its CA certificate as
part of the SSL certificate chain. The SSL protocol does not require
the server to send the CA certificate.
This option is only useful if the SSL/TLS peer sends its CA certificate
as part of the SSL/TLS certificate chain. SSL/TLS protocols do not
require the server to send the CA certificate.
</p>
<p>
This option is mutually exclusive with <code>-C</code> and

2
lib/ssl-connect-syn.man
View File

@ -1,4 +1,4 @@
.IP "SSL connection options:"
.IP "SSL/TLS connection options:"
[\fB\-\-ssl\-protocols=\fIprotocols\fR]
.br
[\fB\-\-ssl\-ciphers=\fIciphers\fR]

6
lib/ssl-connect.man
View File

@ -1,6 +1,6 @@
.IP "\fB\-\-ssl\-protocols=\fIprotocols\fR"
Specifies, in a comma- or space-delimited list, the SSL protocols
\fB\*(PN\fR will enable for SSL connections. Supported
Specifies, in a comma- or space-delimited list, the SSL/TLS protocols
\fB\*(PN\fR will enable for SSL/TLS connections. Supported
\fIprotocols\fR include \fBTLSv1\fR (deprecated), \fBTLSv1.1\fR (deprecated),
and \fBTLSv1.2\fR.
Regardless of order, the highest protocol supported by both sides will
@ -9,5 +9,5 @@ omitted is \fBTLSv1.2\fR or later.
.
.IP "\fB\-\-ssl\-ciphers=\fIciphers\fR"
Specifies, in OpenSSL cipher string format, the ciphers \fB\*(PN\fR will
support for SSL connections. The default when this option is omitted is
support for SSL/TLS connections. The default when this option is omitted is
\fBHIGH:!aNULL:!MD5\fR.

6
lib/ssl-peer-ca-cert.man
View File

@ -1,13 +1,13 @@
.IP "\fB\-\-peer\-ca\-cert=\fIpeer-cacert.pem\fR"
Specifies a PEM file that contains one or more additional certificates
to send to SSL peers. \fIpeer-cacert.pem\fR should be the CA
to send to SSL/TLS peers. \fIpeer-cacert.pem\fR should be the CA
certificate used to sign \fB\*(PN\fR's own certificate, that is, the
certificate specified on \fB\-c\fR or \fB\-\-certificate\fR. If
\fB\*(PN\fR's certificate is self-signed, then \fB\-\-certificate\fR
and \fB\-\-peer\-ca\-cert\fR should specify the same file.
.IP
This option is not useful in normal operation, because the SSL peer
This option is not useful in normal operation, because the SSL/TLS peer
must already have the CA certificate for the peer to have any
confidence in \fB\*(PN\fR's identity. However, this offers a way for
a new installation to bootstrap the CA certificate on its first SSL
a new installation to bootstrap the CA certificate on its first SSL/TLS
connection.

6
lib/ssl-peer-ca-cert.xml
View File

@ -4,7 +4,7 @@
<dd>
<p>
Specifies a PEM file that contains one or more additional certificates
to send to SSL peers. <var>peer-cacert.pem</var> should be the CA
to send to SSL/TLS peers. <var>peer-cacert.pem</var> should be the CA
certificate used to sign the program's own certificate, that is, the
certificate specified on <code>-c</code> or <code>--certificate</code>.
If the program's certificate is self-signed, then
@ -12,10 +12,10 @@
the same file.
</p>
<p>
This option is not useful in normal operation, because the SSL peer
This option is not useful in normal operation, because the SSL/TLS peer
must already have the CA certificate for the peer to have any
confidence in the program's identity. However, this offers a way for
a new installation to bootstrap the CA certificate on its first SSL
a new installation to bootstrap the CA certificate on its first SSL/TLS
connection.
</p>
</dd>

11
lib/ssl.man
View File

@ -1,25 +1,26 @@
.IP "\fB\-p\fR \fIprivkey.pem\fR"
.IQ "\fB\-\-private\-key=\fIprivkey.pem\fR"
Specifies a PEM file containing the private key used as \fB\*(PN\fR's
identity for outgoing SSL connections.
identity for outgoing SSL/TLS connections.
.
.IP "\fB\-c\fR \fIcert.pem\fR"
.IQ "\fB\-\-certificate=\fIcert.pem\fR"
Specifies a PEM file containing a certificate that certifies the
private key specified on \fB\-p\fR or \fB\-\-private\-key\fR to be
trustworthy. The certificate must be signed by the certificate
authority (CA) that the peer in SSL connections will use to verify it.
authority (CA) that the peer in SSL/TLS connections will use to
verify it.
.
.IP "\fB\-C\fR \fIcacert.pem\fR"
.IQ "\fB\-\-ca\-cert=\fIcacert.pem\fR"
Specifies a PEM file containing the CA certificate that \fB\*(PN\fR
should use to verify certificates presented to it by SSL peers. (This
may be the same certificate that SSL peers use to verify the
should use to verify certificates presented to it by SSL/TLS peers.
(This may be the same certificate that SSL/TLS peers use to verify the
certificate specified on \fB\-c\fR or \fB\-\-certificate\fR, or it may
be a different one, depending on the PKI design in use.)
.
.IP "\fB\-C none\fR"
.IQ "\fB\-\-ca\-cert=none\fR"
Disables verification of certificates presented by SSL peers. This
Disables verification of certificates presented by SSL/TLS peers. This
introduces a security risk, because it means that certificates cannot
be verified to be those of known trusted hosts.

10
lib/ssl.xml
View File

@ -4,7 +4,7 @@
<dt><code>--private-key=</code><var>privkey.pem</var></dt>
<dd>
Specifies a PEM file containing the private key used as
identity for outgoing SSL connections.
identity for outgoing SSL/TLS connections.
</dd>
<dt><code>-c</code> <var>cert.pem</var></dt>
@ -13,15 +13,15 @@
Specifies a PEM file containing a certificate that certifies the
private key specified on <code>-p</code> or <code>--private-key</code> to be
trustworthy. The certificate must be signed by the certificate
authority (CA) that the peer in SSL connections will use to verify it.
authority (CA) that the peer in SSL/TLS connections will use to verify it.
</dd>
<dt><code>-C</code> <var>cacert.pem</var></dt>
<dt><code>--ca-cert=</code><var>cacert.pem</var></dt>
<dd>
Specifies a PEM file containing the CA certificate for
verifying certificates presented to this program by SSL peers. (This
may be the same certificate that SSL peers use to verify the
verifying certificates presented to this program by SSL/TLS peers. (This
may be the same certificate that SSL/TLS peers use to verify the
certificate specified on <code>-c</code> or <code>--certificate</code>, or it may
be a different one, depending on the PKI design in use.)
</dd>
@ -29,7 +29,7 @@
<dt><code>-C none</code></dt>
<dt><code>--ca-cert=none</code></dt>
<dd>
Disables verification of certificates presented by SSL peers. This
Disables verification of certificates presented by SSL/TLS peers. This
introduces a security risk, because it means that certificates cannot
be verified to be those of known trusted hosts.
</dd>

13
lib/stream-nossl.c
View File

@ -31,8 +31,9 @@ stream_ssl_is_configured(void)
OVS_NO_RETURN static void
nossl_option(const char *detail)
{
VLOG_FATAL("%s specified but Open vSwitch was built without SSL support",
detail);
VLOG_FATAL(
"%s specified but Open vSwitch was built without SSL/TLS support",
detail);
}
void
@ -78,13 +79,13 @@ stream_ssl_set_key_and_cert(const char *private_key_file,
void
stream_ssl_set_protocols(const char *arg OVS_UNUSED)
{
/* Ignore this option since it seems harmless to set SSL protocols if SSL
* won't be used. */
/* Ignore this option since it seems harmless to set SSL/TLS protocols if
* SSL/TLS won't be used. */
}
void
stream_ssl_set_ciphers(const char *arg OVS_UNUSED)
{
/* Ignore this option since it seems harmless to set SSL ciphers if SSL
* won't be used. */
/* Ignore this option since it seems harmless to set SSL/TLS ciphers if
* SSL/TLS won't be used. */
}

36
lib/stream-ssl.c
View File

@ -64,7 +64,7 @@
VLOG_DEFINE_THIS_MODULE(stream_ssl);
/* Active SSL. */
/* Active SSL/TLS. */
enum ssl_state {
STATE_TCP_CONNECTING,
@ -567,7 +567,8 @@ ssl_connect(struct stream *stream)
* certificate, but that's more trouble than it's worth. These
* connections will succeed the next time they retry, assuming that
* they have a certificate against the correct CA.) */
VLOG_INFO("rejecting SSL connection during bootstrap race window");
VLOG_INFO(
"rejecting SSL/TLS connection during bootstrap race window");
return EPROTO;
} else {
#if OPENSSL_SUPPORTS_SNI
@ -671,7 +672,7 @@ interpret_ssl_error(const char *function, int ret, int error,
function, ovs_strerror(status));
return status;
} else {
VLOG_WARN_RL(&rl, "%s: unexpected SSL connection close",
VLOG_WARN_RL(&rl, "%s: unexpected SSL/TLS connection close",
function);
return EPROTO;
}
@ -873,7 +874,7 @@ const struct stream_class ssl_stream_class = {
ssl_wait, /* wait */
};
/* Passive SSL. */
/* Passive SSL/TLS. */
struct pssl_pstream
{
@ -1056,8 +1057,8 @@ do_ssl_init(void)
/* OpenSSL has a bunch of "connection methods": SSLv2_method(),
* SSLv3_method(), TLSv1_method(), SSLv23_method(), ... Most of these
* support exactly one version of SSL, e.g. TLSv1_method() supports TLSv1
* only, not any earlier *or later* version. The only exception is
* support exactly one version of SSL/TLS, e.g. TLSv1_method() supports
* TLSv1 only, not any earlier *or later* version. The only exception is
* SSLv23_method(), which in fact supports *any* version of SSL and TLS.
* We don't want SSLv2 or SSLv3 support, so we turn it off below with
* SSL_CTX_set_options().
@ -1132,7 +1133,7 @@ tmp_dh_callback(SSL *ssl OVS_UNUSED, int is_export OVS_UNUSED, int keylength)
}
#endif
/* Returns true if SSL is at least partially configured. */
/* Returns true if SSL/TLS is at least partially configured. */
bool
stream_ssl_is_configured(void)
{
@ -1243,7 +1244,7 @@ stream_ssl_set_key_and_cert(const char *private_key_file,
}
}
/* Sets SSL ciphers based on string input. Aborts with an error message
/* Sets SSL/TLS ciphers based on string input. Aborts with an error message
* if 'arg' is invalid. */
void
stream_ssl_set_ciphers(const char *arg)
@ -1258,8 +1259,8 @@ stream_ssl_set_ciphers(const char *arg)
ssl_ciphers = xstrdup(arg);
}
/* Set SSL protocols based on the string input. Aborts with an error message
* if 'arg' is invalid. */
/* Set SSL/TLS protocols based on the string input. Aborts with an error
* message if 'arg' is invalid. */
void
stream_ssl_set_protocols(const char *arg)
{
@ -1289,7 +1290,7 @@ stream_ssl_set_protocols(const char *arg)
char *save_ptr = NULL;
char *word = strtok_r(s, " ,\t", &save_ptr);
if (word == NULL) {
VLOG_ERR("SSL protocol settings invalid");
VLOG_ERR("SSL/TLS protocol settings invalid");
goto exit;
}
while (word != NULL) {
@ -1306,7 +1307,7 @@ stream_ssl_set_protocols(const char *arg)
}
if (!no_flag) {
VLOG_ERR("%s: SSL protocol not recognized", word);
VLOG_ERR("%s: SSL/TLS protocol not recognized", word);
goto exit;
}
@ -1484,17 +1485,18 @@ stream_ssl_set_ca_cert_file__(const char *file_name,
}
/* Sets 'file_name' as the name of the file from which to read the CA
* certificate used to verify the peer within SSL connections. If 'bootstrap'
* is false, the file must exist. If 'bootstrap' is false, then the file is
* read if it is exists; if it does not, then it will be created from the CA
* certificate received from the peer on the first SSL connection. */
* certificate used to verify the peer within SSL/TLS connections. If
* 'bootstrap' is false, the file must exist. If 'bootstrap' is false, then
* the file is read if it is exists; if it does not, then it will be created
* from the CA certificate received from the peer on the first SSL/TLS
* connection. */
void
stream_ssl_set_ca_cert_file(const char *file_name, bool bootstrap)
{
stream_ssl_set_ca_cert_file__(file_name, bootstrap, false);
}
/* SSL protocol logging. */
/* SSL/TLS protocol logging. */
static const char *
ssl_alert_level_to_string(uint8_t type)

14
lib/stream.c
View File

@ -131,7 +131,7 @@ stream_usage(const char *name, bool active, bool passive,
"PORT at remote HOST\n");
#ifdef HAVE_OPENSSL
printf(" ssl:HOST:PORT "
"SSL PORT at remote HOST\n");
"SSL/TLS PORT at remote HOST\n");
#endif
printf(" unix:FILE "
"Unix domain socket named FILE\n");
@ -143,14 +143,14 @@ stream_usage(const char *name, bool active, bool passive,
"listen to TCP PORT on IP\n");
#ifdef HAVE_OPENSSL
printf(" pssl:PORT[:IP] "
"listen for SSL on PORT on IP\n");
"listen for SSL/TLS on PORT on IP\n");
#endif
printf(" punix:FILE "
"listen on Unix domain socket FILE\n");
}
#ifdef HAVE_OPENSSL
printf("PKI configuration (required to use SSL):\n"
printf("PKI configuration (required to use SSL/TLS):\n"
" -p, --private-key=FILE file with private key\n"
" -c, --certificate=FILE file with certificate for private key\n"
" -C, --ca-cert=FILE file with peer CA certificate\n");
@ -158,9 +158,9 @@ stream_usage(const char *name, bool active, bool passive,
printf(" --bootstrap-ca-cert=FILE file with peer CA certificate "
"to read or create\n");
}
printf("SSL options:\n"
" --ssl-protocols=PROTOS list of SSL protocols to enable\n"
" --ssl-ciphers=CIPHERS list of SSL ciphers to enable\n");
printf("SSL/TLS options:\n"
" --ssl-protocols=PROTOS list of SSL/TLS protocols to enable\n"
" --ssl-ciphers=CIPHERS list of SSL/TLS ciphers to enable\n");
#endif
}
@ -827,7 +827,7 @@ stream_content_type_to_string(enum stream_content_type type)
return "OpenFlow";
case STREAM_SSL:
return "SSL";
return "SSL/TLS";
}
}

6
lib/vconn.c
View File

@ -143,7 +143,7 @@ vconn_usage(bool active, bool passive, bool bootstrap OVS_UNUSED)
"PORT (default: %d) at remote HOST\n", OFP_PORT);
#ifdef HAVE_OPENSSL
printf(" ssl:HOST[:PORT] "
"SSL PORT (default: %d) at remote HOST\n", OFP_PORT);
"SSL/TLS PORT (default: %d) at remote HOST\n", OFP_PORT);
#endif
printf(" unix:FILE Unix domain socket named FILE\n");
}
@ -155,7 +155,7 @@ vconn_usage(bool active, bool passive, bool bootstrap OVS_UNUSED)
OFP_PORT);
#ifdef HAVE_OPENSSL
printf(" pssl:[PORT][:IP] "
"listen for SSL on PORT (default: %d) on IP\n",
"listen for SSL/TLS on PORT (default: %d) on IP\n",
OFP_PORT);
#endif
printf(" punix:FILE "
@ -163,7 +163,7 @@ vconn_usage(bool active, bool passive, bool bootstrap OVS_UNUSED)
}
#ifdef HAVE_OPENSSL
printf("PKI configuration (required to use SSL):\n"
printf("PKI configuration (required to use SSL/TLS):\n"
" -p, --private-key=FILE file with private key\n"
" -c, --certificate=FILE file with certificate for private key\n"
" -C, --ca-cert=FILE file with peer CA certificate\n");

4
m4/openvswitch.m4
View File

@ -280,10 +280,10 @@ AC_DEFUN([OVS_CHECK_OPENSSL],
$SSL_PKG_ERRORS
OpenFlow connections over SSL will not be supported.
OpenFlow connections over SSL/TLS will not be supported.
(You may use --disable-ssl to suppress this warning.)])
else
AC_MSG_ERROR([Cannot find openssl (use --disable-ssl to configure without SSL support)])
AC_MSG_ERROR([Cannot find openssl (use --disable-ssl to configure without SSL/TLS support)])
fi])
else
HAVE_OPENSSL=no

19
ovsdb/local-config.xml
View File

@ -51,18 +51,18 @@
</dt>
<dd>
<p>
The specified SSL <var>port</var> on the host at the given
The specified SSL/TLS <var>port</var> on the host at the given
<var>host</var>, which can either be a DNS name (if built with
unbound library) or an IP address. A valid SSL configuration must
be provided when this form is used, this configuration can be
specified via command-line options or the <ref table="SSL"/>
unbound library) or an IP address. A valid SSL/TLS configuration
must be provided when this form is used, this configuration can
be specified via command-line options or the <ref table="SSL"/>
table.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6640.
</p>
<p>
SSL support is an optional feature that is not always
SSL/TLS support is an optional feature that is not always
built as part of Open vSwitch.
</p>
</dd>
@ -87,7 +87,8 @@
</dt>
<dd>
<p>
Listens for SSL connections on the specified TCP <var>port</var>.
Listens for SSL/TLS connections on the specified TCP
<var>port</var>.
Specify 0 for <var>port</var> to have the kernel automatically
choose an available port. If <var>host</var>, which can either
be a DNS name (if built with unbound library) or an IP address,
@ -96,7 +97,7 @@
<var>host</var> is an IPv6 address, wrap in square brackets,
e.g. <code>pssl:6640:[::1]</code>. If <var>host</var> is not
specified then it listens only on IPv4 (but not IPv6) addresses.
A valid SSL configuration must be provided when this form is
A valid SSL/TLS configuration must be provided when this form is
used, this can be specified either via command-line options or
the <ref table="SSL"/> table.
</p>
@ -104,8 +105,8 @@
If <var>port</var> is not specified, it defaults to 6640.
</p>
<p>
SSL support is an optional feature that is not always built as
part of Open vSwitch.
SSL/TLS support is an optional feature that is not always built
as part of Open vSwitch.
</p>
</dd>
<dt>

2
ovsdb/ovsdb-client.1.in
View File

@ -368,7 +368,7 @@ effect.
.SS "Public Key Infrastructure Options"
.so lib/ssl.man
.so lib/ssl-bootstrap.man
.SS "SSL Connection Options"
.SS "SSL/TLS Connection Options"
.so lib/ssl-connect.man
.SS "Other Options"
.so lib/ovs-replay.man

4
ovsdb/ovsdb-server.c
View File

@ -67,7 +67,7 @@
VLOG_DEFINE_THIS_MODULE(ovsdb_server);
/* SSL configuration. */
/* SSL/TLS configuration. */
static char *private_key_file;
static char *certificate_file;
static char *ca_cert_file;
@ -692,7 +692,7 @@ reconfigure_ovsdb_server(struct server_config *server_config)
} else {
error = reconfigure_ssl(server_config->all_dbs);
if (error) {
VLOG_WARN("failed to configure SSL: %s", error);
VLOG_WARN("failed to configure SSL/TLS: %s", error);
res = false;
}
}

2
python/ovs/reconnect.py
View File

@ -537,7 +537,7 @@ class Reconnect(object):
connections that quickly abort, so it is OK to call
self.connected() after a low-level successful connection
(e.g. connect()) even if the connection might soon abort due to a
failure at a high-level (e.g. SSL negotiation failure).
failure at a high-level (e.g. SSL/TLS negotiation failure).
- Passive client, ovs.reconnect.CONNECT: The client should try to
listen for a connection, if it is not already listening. It

8
python/ovs/stream.py
View File

@ -728,7 +728,7 @@ def usage(name):
Active %s connection methods:
unix:FILE Unix domain socket named FILE
tcp:HOST:PORT TCP socket to HOST with port no of PORT
ssl:HOST:PORT SSL socket to HOST with port no of PORT
ssl:HOST:PORT SSL/TLS socket to HOST with port no of PORT
Passive %s connection methods:
punix:FILE Listen on Unix domain socket FILE""" % (name, name)
@ -797,7 +797,7 @@ class SSLStream(Stream):
ctx.options |= ssl.OP_NO_SSLv3
ctx.options |= ssl.OP_NO_TLSv1
ctx.options |= ssl.OP_NO_TLSv1_1
# If the client has not set the SSL configuration files
# If the client has not set the SSL/TLS configuration files
# exception would be raised.
ctx.load_verify_locations(Stream._SSL_ca_cert_file)
ctx.load_cert_chain(Stream._SSL_certificate_file,
@ -821,7 +821,7 @@ class SSLStream(Stream):
if retval:
return retval
# TCP Connection is successful. Now do the SSL handshake
# TCP Connection is successful. Now do the SSL/TLS handshake.
try:
self.socket.do_handshake()
except ssl.SSLWantReadError:
@ -864,5 +864,5 @@ class SSLStream(Stream):
if ssl:
# Register SSL only if the OpenSSL module is available
# Register SSL/TLS only if the OpenSSL module is available.
Stream.register_method("ssl", SSLStream)

2
tests/ofproto-macros.at
View File

@ -46,7 +46,7 @@ s/unix#[0-9]*:/unix:/
# PARSE_LISTENING_PORT LOGFILE VARIABLE
#
# Parses the TCP or SSL port on which a server is listening from
# Parses the TCP or SSL/TLS port on which a server is listening from
# LOGFILE, given that the server was told to listen on a kernel-chosen
# port, and assigns the port number to shell VARIABLE. You should
# specify the listening remote as ptcp:0:127.0.0.1 or

10
tests/ovsdb-idl.at
View File

@ -256,14 +256,14 @@ m4_define([OVSDB_CHECK_IDL_TCP6_MULTIPLE_REMOTES_PY],
OVSDB_SERVER_SHUTDOWN
AT_CLEANUP])
# same as OVSDB_CHECK_IDL but uses the Python IDL implementation with SSL
# same as OVSDB_CHECK_IDL but uses the Python IDL implementation with SSL/TLS
m4_define([OVSDB_CHECK_IDL_SSL_PY],
[AT_SETUP([ovsdb-idl - $1 - Python3 - SSL])
[AT_SETUP([ovsdb-idl - $1 - Python3 - SSL/TLS])
AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
$PYTHON3 -c "import ssl"
SSL_PRESENT=$?
AT_SKIP_IF([test $SSL_PRESENT != 0])
AT_KEYWORDS([ovsdb server idl positive Python with ssl socket $5])
AT_KEYWORDS([ovsdb server idl positive Python with ssl tls socket $5])
AT_CHECK([ovsdb-tool create db $abs_srcdir/idltest.ovsschema],
[0], [stdout], [ignore])
PKIDIR=$abs_top_builddir/tests
@ -288,7 +288,7 @@ m4_define([OVSDB_CHECK_IDL_SSL_PY],
AT_CHECK([sort stdout | uuidfilt]m4_if([$6],,, [[| $6]]),
[0], [$4])
OVSDB_SERVER_SHUTDOWN(["
/unexpected SSL connection close/d
/unexpected SSL\/TLS connection close/d
/Protocol error/d
"])
AT_CLEANUP])
@ -2473,7 +2473,7 @@ m4_define([CHECK_STREAM_OPEN_BLOCK],
AT_CHECK([$2 PROTOCOL:$4:$WRONG_PORT $SSL_KEY_ARGS], [1], [ignore],
[ignore])
OVSDB_SERVER_SHUTDOWN(["
/unexpected SSL connection close/d
/unexpected SSL\/TLS connection close/d
/Protocol error/d
"])
AT_CHECK([$2 PROTOCOL:$4:$TCP_PORT $SSL_KEY_ARGS], [1], [ignore], [ignore])

12
tests/ovsdb-server.at
View File

@ -824,8 +824,8 @@ OVSDB_SERVER_SHUTDOWN(["
"])
AT_CLEANUP
AT_SETUP([SSL db: implementation])
AT_KEYWORDS([ovsdb server positive ssl $5])
AT_SETUP([SSL/TLS db: implementation])
AT_KEYWORDS([ovsdb server positive ssl tls $5])
AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
# For this test, we pass PKIDIR through a ovsdb-tool transact and
# msys on Windows does not convert the path style automatically.
@ -1604,7 +1604,7 @@ AT_CHECK([test $(get_memory_value atoms) -eq $db_atoms_before_conversion])
OVSDB_SERVER_SHUTDOWN
AT_CLEANUP
AT_BANNER([OVSDB -- ovsdb-server transactions (SSL IPv4 sockets)])
AT_BANNER([OVSDB -- ovsdb-server transactions (SSL/TLS IPv4 sockets)])
# OVSDB_CHECK_EXECUTION(TITLE, SCHEMA, TRANSACTIONS, OUTPUT, [KEYWORDS])
#
@ -1622,7 +1622,7 @@ AT_BANNER([OVSDB -- ovsdb-server transactions (SSL IPv4 sockets)])
# TITLE is provided to AT_SETUP and KEYWORDS to AT_KEYWORDS.
m4_define([OVSDB_CHECK_EXECUTION],
[AT_SETUP([$1])
AT_KEYWORDS([ovsdb server positive ssl $5])
AT_KEYWORDS([ovsdb server positive ssl tls $5])
AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
$2 > schema
PKIDIR=$abs_top_builddir/tests
@ -1640,7 +1640,7 @@ cat stdout >> output
EXECUTION_EXAMPLES
AT_BANNER([OVSDB -- ovsdb-server transactions (SSL IPv6 sockets)])
AT_BANNER([OVSDB -- ovsdb-server transactions (SSL/TLS IPv6 sockets)])
# OVSDB_CHECK_EXECUTION(TITLE, SCHEMA, TRANSACTIONS, OUTPUT, [KEYWORDS])
#
@ -1658,7 +1658,7 @@ AT_BANNER([OVSDB -- ovsdb-server transactions (SSL IPv6 sockets)])
# TITLE is provided to AT_SETUP and KEYWORDS to AT_KEYWORDS.
m4_define([OVSDB_CHECK_EXECUTION],
[AT_SETUP([$1])
AT_KEYWORDS([ovsdb server positive ssl6 $5])
AT_KEYWORDS([ovsdb server positive ssl6 ssl tls $5])
AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
AT_SKIP_IF([test $HAVE_IPV6 = no])
$2 > schema

4
tests/test-ovsdb.py
View File

@ -745,7 +745,7 @@ def do_idl(schema_file, remote, *commands):
if remote.startswith("ssl:"):
if len(commands) < 3:
sys.stderr.write("SSL connection requires private key, "
sys.stderr.write("SSL/TLS connection requires private key, "
"certificate for private key, and peer CA "
"certificate as arguments\n")
sys.exit(1)
@ -970,7 +970,7 @@ def do_idl_cluster(schema_file, remote, pid, *commands):
if remote.startswith("ssl:"):
if len(commands) < 3:
sys.stderr.write("SSL connection requires private key, "
sys.stderr.write("SSL/TLS connection requires private key, "
"certificate for private key, and peer CA "
"certificate as arguments\n")
sys.exit(1)

4
utilities/ovs-ofctl.8.in
View File

@ -722,8 +722,8 @@ Non-OpenFlow packets are ignored. By default, data on TCP ports 6633
and 6653 are considered to be OpenFlow. Specify one or more
\fIport\fR arguments to override the default.
.IP
This command cannot usefully print SSL encrypted traffic. It does not
understand IPv6.
This command cannot usefully print SSL/TLS encrypted traffic. It does
not understand IPv6.
.
.SS "Flow Syntax"
.PP

28
utilities/ovs-vsctl.8.in
View File

@ -155,7 +155,7 @@ Prints a brief overview of the database contents.
.
.IP "\fBemer\-reset\fR"
Reset the configuration into a clean state. It deconfigures OpenFlow
controllers, OVSDB servers, and SSL, and deletes port mirroring,
controllers, OVSDB servers, and SSL/TLS, and deletes port mirroring,
\fBfail_mode\fR, NetFlow, sFlow, and IPFIX configuration. This
command also removes all \fBother\-config\fR keys from all database
records, except that \fBother\-config:hwaddr\fR is preserved if it is
@ -479,13 +479,13 @@ Sets the configured manager target or targets.
Each \fItarget\fR may be an OVSDB active or passive connection method,
e.g. \fBpssl:6640\fR, as described in \fBovsdb\fR(7).
.
.SS "SSL Configuration"
When \fBovs\-vswitchd\fR is configured to connect over SSL for management or
controller connectivity, the following parameters are required:
.SS "SSL/TLS Configuration"
When \fBovs\-vswitchd\fR is configured to connect over SSL/TLS for management
or controller connectivity, the following parameters are required:
.TP
\fIprivate-key\fR
Specifies a PEM file containing the private key used as the virtual
switch's identity for SSL connections to the controller.
switch's identity for SSL/TLS connections to the controller.
.TP
\fIcertificate\fR
Specifies a PEM file containing a certificate, signed by the
@ -500,37 +500,37 @@ the virtual switch is connected to a trustworthy controller.
These files are read only once, at \fBovs\-vswitchd\fR startup time. If
their contents change, \fBovs\-vswitchd\fR must be killed and restarted.
.PP
These SSL settings apply to all SSL connections made by the virtual
These SSL/TLS settings apply to all SSL/TLS connections made by the virtual
switch.
.
.IP "\fBget\-ssl\fR"
Prints the SSL configuration.
Prints the SSL/TLS configuration.
.
.IP "\fBdel\-ssl\fR"
Deletes the current SSL configuration.
Deletes the current SSL/TLS configuration.
.
.IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR \fIca-cert\fR"
Sets the SSL configuration. The \fB\-\-bootstrap\fR option is described
Sets the SSL/TLS configuration. The \fB\-\-bootstrap\fR option is described
below.
.
.ST "CA Certificate Bootstrap"
.PP
Ordinarily, all of the files named in the SSL configuration must exist
Ordinarily, all of the files named in the SSL/TLS configuration must exist
when \fBovs\-vswitchd\fR starts. However, if the \fIca-cert\fR file
does not exist and the \fB\-\-bootstrap\fR
option is given, then \fBovs\-vswitchd\fR will attempt to obtain the
CA certificate from the controller on its first SSL connection and
CA certificate from the controller on its first SSL/TLS connection and
save it to the named PEM file. If it is successful, it will
immediately drop the connection and reconnect, and from then on all
SSL connections must be authenticated by a certificate signed by the
SSL/TLS connections must be authenticated by a certificate signed by the
CA certificate thus obtained.
.PP
\fBThis option exposes the SSL connection to a man-in-the-middle
\fBThis option exposes the SSL/TLS connection to a man-in-the-middle
attack obtaining the initial CA certificate\fR, but it may be useful
for bootstrapping.
.PP
This option is only useful if the controller sends its CA certificate
as part of the SSL certificate chain. The SSL protocol does not
as part of the SSL/TLS certificate chain. SSL/TLS protocols do not
require the controller to send the CA certificate.
.
.SS "Auto-Attach Commands"

10
utilities/ovs-vsctl.c
View File

@ -429,10 +429,10 @@ Manager commands:\n\
[--inactivity-probe=MSECS]\n\
set-manager TARGET... set the list of managers to TARGET...\n\
\n\
SSL commands:\n\
get-ssl print the SSL configuration\n\
del-ssl delete the SSL configuration\n\
set-ssl PRIV-KEY CERT CA-CERT set the SSL configuration\n\
SSL/TLS commands:\n\
get-ssl print the SSL/TLS configuration\n\
del-ssl delete the SSL/TLS configuration\n\
set-ssl PRIV-KEY CERT CA-CERT set the SSL/TLS configuration\n\
\n\
Auto Attach commands:\n\
add-aa-mapping BRIDGE I-SID VLAN add Auto Attach mapping to BRIDGE\n\
@ -3254,7 +3254,7 @@ static const struct ctl_command_syntax vsctl_commands[] = {
{"set-manager", 1, INT_MAX, "TARGET...", pre_manager, cmd_set_manager,
NULL, "--inactivity-probe=", RW},
/* SSL commands. */
/* SSL/TLS commands. */
{"get-ssl", 0, 0, "", pre_cmd_get_ssl, cmd_get_ssl, NULL, "", RO},
{"del-ssl", 0, 0, "", pre_cmd_del_ssl, cmd_del_ssl, NULL, "", RW},
{"set-ssl", 3, 3, "PRIVATE-KEY CERTIFICATE CA-CERT", pre_cmd_set_ssl,

5
vswitchd/bridge.c
View File

@ -3417,12 +3417,13 @@ bridge_run(void)
bridge_run__();
/* Re-configure SSL. We do this on every trip through the main loop,
/* Re-configure SSL/TLS. We do this on every trip through the main loop,
* instead of just when the database changes, because the contents of the
* key and certificate files can change without the database changing.
*
* We do this before bridge_reconfigure() because that function might
* initiate SSL connections and thus requires SSL to be configured. */
* initiate SSL/TLS connections and thus requires SSL/TLS to be configured.
*/
if (cfg && cfg->ssl) {
const struct ovsrec_ssl *ssl = cfg->ssl;

44
vswitchd/vswitch.xml
View File

@ -64,7 +64,7 @@
</column>
<column name="ssl">
SSL used globally by the daemon.
SSL/TLS used globally by the daemon.
</column>
<column name="external_ids" key="system-id">
@ -5487,14 +5487,14 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
<dl>
<dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>The specified SSL <var>port</var> on the host at the
<p>The specified SSL/TLS <var>port</var> on the host at the
given <var>host</var>, which can either be a DNS name (if built
with unbound library) or an IP address. The <ref table="Open_vSwitch"
column="ssl"/> column in the <ref table="Open_vSwitch"/> table must
point to a valid SSL configuration when this form is used.</p>
point to a valid SSL/TLS configuration when this form is used.</p>
<p>If <var>port</var> is not specified, it defaults to 6653.</p>
<p>SSL support is an optional feature that is not always built as
part of Open vSwitch.</p>
<p>SSL/TLS support is an optional feature that is not always built
as part of Open vSwitch.</p>
</dd>
<dt><code>tcp:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
@ -5517,7 +5517,8 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
<dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
Listens for SSL connections on the specified TCP <var>port</var>.
Listens for SSL/TLS connections on the specified TCP
<var>port</var>.
If <var>host</var>, which can either be a DNS name (if built with
unbound library) or an IP address, is specified, then connections
are restricted to the resolved or specified local IP address
@ -5530,14 +5531,14 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
IPv4 (but not IPv6) addresses. The
<ref table="Open_vSwitch" column="ssl"/>
column in the <ref table="Open_vSwitch"/> table must point to a
valid SSL configuration when this form is used.
valid SSL/TLS configuration when this form is used.
</p>
<p>
If <var>port</var> is not specified, it currently to 6653.
</p>
<p>
SSL support is an optional feature that is not always built as
part of Open vSwitch.
SSL/TLS support is an optional feature that is not always built
as part of Open vSwitch.
</p>
</dd>
<dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
@ -5907,18 +5908,18 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
<dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
The specified SSL <var>port</var> on the host at the given
The specified SSL/TLS <var>port</var> on the host at the given
<var>host</var>, which can either be a DNS name (if built with
unbound library) or an IP address. The <ref table="Open_vSwitch"
column="ssl"/> column in the <ref table="Open_vSwitch"/>
table must point to a valid SSL configuration when this
table must point to a valid SSL/TLS configuration when this
form is used.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6640.
</p>
<p>
SSL support is an optional feature that is not always
SSL/TLS support is an optional feature that is not always
built as part of Open vSwitch.
</p>
</dd>
@ -5939,7 +5940,8 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
<dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
Listens for SSL connections on the specified TCP <var>port</var>.
Listens for SSL/TLS connections on the specified TCP
<var>port</var>.
Specify 0 for <var>port</var> to have the kernel automatically
choose an available port. If <var>host</var>, which can either
be a DNS name (if built with unbound library) or an IP address,
@ -5949,15 +5951,15 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
e.g. <code>pssl:6640:[::1]</code>. If <var>host</var> is not
specified then it listens only on IPv4 (but not IPv6) addresses.
The <ref table="Open_vSwitch" column="ssl"/> column in the <ref
table="Open_vSwitch"/> table must point to a valid SSL
table="Open_vSwitch"/> table must point to a valid SSL/TLS
configuration when this form is used.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6640.
</p>
<p>
SSL support is an optional feature that is not always built as
part of Open vSwitch.
SSL/TLS support is an optional feature that is not always built
as part of Open vSwitch.
</p>
</dd>
<dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
@ -6736,11 +6738,11 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
</table>
<table name="SSL">
SSL configuration for an Open_vSwitch.
SSL/TLS configuration for an Open_vSwitch.
<column name="private_key">
Name of a PEM file containing the private key used as the switch's
identity for SSL connections to the controller.
identity for SSL/TLS connections to the controller.
</column>
<column name="certificate">
@ -6757,12 +6759,12 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch options:peer=p1 \
<column name="bootstrap_ca_cert">
If set to <code>true</code>, then Open vSwitch will attempt to
obtain the CA certificate from the controller on its first SSL
obtain the CA certificate from the controller on its first SSL/TLS
connection and save it to the named PEM file. If it is successful,
it will immediately drop the connection and reconnect, and from then
on all SSL connections must be authenticated by a certificate signed
on all SSL/TLS connections must be authenticated by a certificate signed
by the CA certificate thus obtained. <em>This option exposes the
SSL connection to a man-in-the-middle attack obtaining the initial
SSL/TLS connection to a man-in-the-middle attack obtaining the initial
CA certificate.</em> It may still be useful for bootstrapping.
</column>

18
vtep/vtep.xml
View File

@ -119,12 +119,12 @@
<dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
The specified SSL <var>port</var> (default: 6640) on the given
<var>host</var>, which can either be a DNS name (if built with
unbound library) or an IP address.
The specified SSL/TLS <var>port</var> (default: 6640) on the
given <var>host</var>, which can either be a DNS name (if built
with unbound library) or an IP address.
</p>
<p>
SSL key and certificate configuration happens outside the
SSL/TLS key and certificate configuration happens outside the
database.
</p>
</dd>
@ -138,11 +138,11 @@
<dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
Listens for SSL connections on the specified TCP <var>port</var>
(default: 6640). If <var>host</var>, which can either be a DNS
name (if built with unbound library) or an IP address, is
specified, then connections are restricted to the resolved or
specified local IP address.
Listens for SSL/TLS connections on the specified TCP
<var>port</var> (default: 6640). If <var>host</var>, which can
either be a DNS name (if built with unbound library) or an IP
address, is specified, then connections are restricted to the
resolved or specified local IP address.
</p>
</dd>
<dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>