mirror of
https://github.com/openvswitch/ovs
synced 2025-08-22 09:58:01 +00:00
49f299313d
SSL protocol family is not actually being used or supported in OVS. What we use is actually TLS. Terms "SSL" and "TLS" are often used interchangeably in modern software and refer to the same thing, which is normally just TLS. Let's replace "SSL" with "SSL/TLS" in documentation and user-visible messages, where it makes sense. This may make it more clear what is meant for a less experienced user that may look for TLS support in OVS and not find much. We're not changing any actual code, because, for example, most of OpenSSL APIs are using just SSL, for historical reasons. And our database is using "SSL" table. We may consider migrating to "TLS" naming for user-visible configuration like command line arguments and database names, but that will require extra work on making sure upgrades can still work. In general, a slightly more clear documentation should be enough for now, especially since term SSL is still widely used in the industry. "SSL/TLS" is chosen over "TLS/SSL" simply because our user-visible configuration knobs are using "SSL" naming, e.g. '--ssl-cyphers' or 'ovs-vsctl set-ssl'. So, it might be less confusing this way. We may switch that, if we decide on re-working the user-visible commands towards "TLS" naming, or providing both alternatives. Some other projects did similar changes. For example, the python ssl library is now using "TLS/SSL" in the documentation whenever possible. Same goes for OpenSSL itself. Acked-by: Eelco Chaudron <echaudro@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
21 lines
949 B
Groff
21 lines
949 B
Groff
.IP "\fB\-\-bootstrap\-ca\-cert=\fIcacert.pem\fR"
|
|
When \fIcacert.pem\fR exists, this option has the same effect as
|
|
\fB\-C\fR or \fB\-\-ca\-cert\fR. If it does not exist, then
|
|
\fB\*(PN\fR will attempt to obtain the CA certificate from the
|
|
SSL/TLS peer on its first SSL/TLS connection and save it to the named
|
|
PEM file. If it is successful, it will immediately drop the connection
|
|
and reconnect, and from then on all SSL/TLS connections must be
|
|
authenticated by a certificate signed by the CA certificate thus
|
|
obtained.
|
|
.IP
|
|
\fBThis option exposes the SSL/TLS connection to a man-in-the-middle
|
|
attack obtaining the initial CA certificate\fR, but it may be useful
|
|
for bootstrapping.
|
|
.IP
|
|
This option is only useful if the SSL/TLS peer sends its CA certificate
|
|
as part of the SSL/TLS certificate chain. SSL/TLS protocols do not
|
|
require the server to send the CA certificate.
|
|
.IP
|
|
This option is mutually exclusive with \fB\-C\fR and
|
|
\fB\-\-ca\-cert\fR.
|