ovs-vsctl: Support configuring SSL.

diff --git a/utilities/ovs-vsctl.8.in b/utilities/ovs-vsctl.8.in
index 16fd8497438957539dba1688dfc54e3e15832270..da017e621f1442b9bfda0f412362b2bbcd43cbaf 100644 (file)
--- a/utilities/ovs-vsctl.8.in
+++ b/utilities/ovs-vsctl.8.in
@@ -340,6 +340,60 @@ Deletes the configured failure mode.
 .IP "\fBset\-fail\-mode\fR [\fIbridge\fR] \fBstandalone\fR|\fBsecure\fR"
 Sets the configured failure mode.
 .
+.SS "SSL Configuration"
+When \fBovs\-vswitchd\fR is configured to connect over SSL for management or
+controller connectivity, the following parameters are required:
+.TP
+\fBprivate-key\fR
+Specifies a PEM file containing the private key used as the virtual
+switch's identity for SSL connections to the controller.
+.TP
+\fBcertificate\fR
+Specifies a PEM file containing a certificate, signed by the
+certificate authority (CA) used by the controller and manager, that
+certifies the virtual switch's private key, identifying a trustworthy
+switch.
+.TP
+\fBca-cert\fR
+Specifies a PEM file containing the CA certificate used to verify that
+the virtual switch is connected to a trustworthy controller.
+.PP
+These files are read only once, at \fBovs\-vswitchd\fR startup time.  If
+their contents change, \fBovs\-vswitchd\fR must be killed and restarted.
+.PP
+These SSL settings apply to all SSL connections made by the virtual
+switch.
+.
+.IP "\fBget\-ssl\fR"
+Prints the SSL configuration.
+.
+.IP "\fBdel\-ssl\fR"
+Deletes the current SSL configuration.
+.
+.IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR \fIca-cert\fR"
+Sets the SSL configuration.  The \fB\-\-bootstrap\fR option is described 
+below.
+.
+.ST "CA Certificate Bootstrap"
+Ordinarily, all of the files named in the SSL configuration must exist
+when \fBovs\-vswitchd\fR starts.  However, if the \fB\-\-bootstrap\fR 
+option is given, then \fBovs\-vswitchd\fR will attempt to obtain the
+CA certificate from the controller on its first SSL connection and
+save it to the named PEM file.  If it is successful, it will
+immediately drop the connection and reconnect, and from then on all
+SSL connections must be authenticated by a certificate signed by the
+CA certificate thus obtained.
+.PP
+\fBThis option exposes the SSL connection to a man-in-the-middle
+attack obtaining the initial CA certificate\fR, but it may be useful
+for bootstrapping.
+.PP
+This option is only useful if the controller sends its CA certificate
+as part of the SSL certificate chain.  The SSL protocol does not
+require the controller to send the CA certificate, but
+\fBcontroller\fR(8) can be configured to do so with the
+\fB--peer-ca-cert\fR option.
+.
 .SH "EXAMPLES"
 Create a new bridge named br0 and add port eth0 to it:
 .IP

diff --git a/utilities/ovs-vsctl.c b/utilities/ovs-vsctl.c
index 2868c354c2ee6aa87b5b5670a5938fe304a91f4b..a63970b513ed4b97bbc605691d253abb436ad860 100644 (file)
--- a/utilities/ovs-vsctl.c
+++ b/utilities/ovs-vsctl.c
@@ -301,15 +301,23 @@ usage(void)
            "print the controller for BRIDGE\n"
            "  del-controller [BRIDGE]     "
            "delete the controller for BRIDGE\n"
-           "  set-controller [BRIDGE] TARGET "
+           "  set-controller [BRIDGE] TARGET  "
            "set the controller for BRIDGE to TARGET\n"
            "  get-fail-mode [BRIDGE]     "
            "print the fail-mode for BRIDGE\n"
            "  del-fail-mode [BRIDGE]     "
            "delete the fail-mode for BRIDGE\n"
-           "  set-fail-mode [BRIDGE] MODE "
+           "  set-fail-mode [BRIDGE] MODE  "
            "set the fail-mode for BRIDGE to MODE\n"
         );
+    printf("\nSSL commands:\n"
+           "  get-ssl              "
+           "print the SSL configuration\n"
+           "  del-ssl              "
+           "delete the SSL configuration\n"
+           "  set-ssl PRIV-KEY CERT CA-CERT  "
+           "set the SSL configuration\n"
+        );
     printf("\nOptions:\n"
            "  --db=DATABASE               "
            "connect to DATABASE\n"
@@ -1397,6 +1405,51 @@ cmd_set_fail_mode(struct vsctl_context *ctx)
 
     free_info(&info);
 }
+
+static void
+cmd_get_ssl(struct vsctl_context *ctx)
+{
+    struct ovsrec_ssl *ssl = ctx->ovs->ssl;
+
+    if (ssl) {
+        ds_put_format(&ctx->output, "Private key: %s\n", ssl->private_key);
+        ds_put_format(&ctx->output, "Certificate: %s\n", ssl->certificate);
+        ds_put_format(&ctx->output, "CA Certificate: %s\n", ssl->ca_cert);
+        ds_put_format(&ctx->output, "Bootstrap: %s\n",
+                ssl->bootstrap_ca_cert ? "true" : "false");
+    }
+}
+
+static void
+cmd_del_ssl(struct vsctl_context *ctx)
+{
+    struct ovsrec_ssl *ssl = ctx->ovs->ssl;
+
+    if (ssl) {
+        ovsrec_ssl_delete(ssl);
+        ovsrec_open_vswitch_set_ssl(ctx->ovs, NULL);
+    }
+}
+
+static void
+cmd_set_ssl(struct vsctl_context *ctx)
+{
+    bool bootstrap = shash_find(&ctx->options, "--bootstrap");
+    struct ovsrec_ssl *ssl = ctx->ovs->ssl;
+
+    if (ssl) {
+        ovsrec_ssl_delete(ssl);
+    }
+    ssl = ovsrec_ssl_insert(txn_from_openvswitch(ctx->ovs));
+
+    ovsrec_ssl_set_private_key(ssl, ctx->argv[1]);
+    ovsrec_ssl_set_certificate(ssl, ctx->argv[2]);
+    ovsrec_ssl_set_ca_cert(ssl, ctx->argv[3]);
+
+    ovsrec_ssl_set_bootstrap_ca_cert(ssl, bootstrap);
+
+    ovsrec_open_vswitch_set_ssl(ctx->ovs, ssl);
+}
 \f
 typedef void vsctl_handler_func(struct vsctl_context *);
 
@@ -1597,6 +1650,11 @@ get_vsctl_handler(int argc, char *argv[], struct vsctl_context *ctx)
         {"get-fail-mode", 0, 1, cmd_get_fail_mode, ""},
         {"del-fail-mode", 0, 1, cmd_del_fail_mode, ""},
         {"set-fail-mode", 1, 2, cmd_set_fail_mode, ""},
+
+        /* SSL commands. */
+        {"get-ssl", 0, 0, cmd_get_ssl, ""},
+        {"del-ssl", 0, 0, cmd_del_ssl, ""},
+        {"set-ssl", 3, 3, cmd_set_ssl, "--bootstrap"},
     };
 
     const struct vsctl_command *p;