From: Ben Pfaff Date: Wed, 22 Oct 2008 20:27:03 +0000 (-0700) Subject: Add support for bootstrapping the CA certificate to the Debian packaging. X-Git-Url: https://pintos-os.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8478ab12feffbd7611a3e3f0786132f603fc4433;p=openvswitch Add support for bootstrapping the CA certificate to the Debian packaging. --- diff --git a/debian/openflow-switch.default b/debian/openflow-switch.default index 6088581a..7e40c26c 100644 --- a/debian/openflow-switch.default +++ b/debian/openflow-switch.default @@ -78,6 +78,20 @@ SWITCH_IP=dhcp # Required if SSL enabled. #CACERT=/etc/openflow-switch/cacert.pem +# CACERT_MODE: Two modes are available: +# +# * secure: The controller CA certificate named in CACERT above must exist. +# (You must copy it manually from the PKI server or another trusted source.) +# +# * bootstrap: If the controller CA certificate named in CACERT above does +# not exist, the switch will obtain it from the controller the first time +# it connects and save a copy to the file named in CACERT. This is insecure, +# in the same way that initial connections with ssh are insecure, but +# it is convenient. +# +# Set CACERT_MODE to 'secure' or 'bootstrap' for these respective cases. +#CACERT=secure + # MGMT_VCONNS: List of vconns (space-separated) on which secchan # should listen for management connections from dpctl, etc. # openflow-switchmon by default connects to diff --git a/debian/openflow-switch.init b/debian/openflow-switch.init index b4e39afc..c3d22d7d 100755 --- a/debian/openflow-switch.init +++ b/debian/openflow-switch.init @@ -115,15 +115,21 @@ check_op() { } configure_ssl() { - if test ! -e "$PRIVKEY" || test ! -e "$CERT" || test ! -e "$CACERT"; then + if (test "$CACERT_MODE" != secure && test "$CACERT_MODE" != bootstrap) \ + || test ! -e "$PRIVKEY" || test ! -e "$CERT" \ + || (test ! -e "$CACERT" && test "$CACERT_MODE" != bootstrap); then + if test "$CACERT_MODE" != secure && test "$CACERT_MODE" != bootstrap + then + echo "CACERT_MODE is not set to 'secure' or 'bootstrap'" + fi if test ! -e "$PRIVKEY"; then echo "$PRIVKEY: private key missing" >&2 fi if test ! -e "$CERT"; then echo "$CERT: certificate for private key missing" >&2 fi - if test ! -e "$CACERT"; then - echo "$CACERT: CA certificate missing" >&2 + if test ! -e "$CACERT" && test "$CACERT_MODE" != bootstrap; then + echo "$CACERT: CA certificate missing (and CA certificate bootstrapping not enabled)" >&2 fi echo "Run ofp-switch-setup or edit /etc/default/openflow-switch to configure" >&2 if test "$MODE" = discovery; then @@ -131,7 +137,13 @@ configure_ssl() { fi exit 1 fi - SSL_OPTS="--private-key=$PRIVKEY --certificate=$CERT --ca-cert=$CACERT" + + SSL_OPTS="--private-key=$PRIVKEY --certificate=$CERT" + if test ! -e "$CACERT" && test "$CACERT_MODE" = bootstrap; then + SSL_OPTS="$SSL_OPTS --bootstrap-ca-cert=$CACERT" + else + SSL_OPTS="$SSL_OPTS --ca-cert=$CACERT" + fi } case "$1" in