From dd8ac6fe86191a301746f384b25a9873e2e3c443 Mon Sep 17 00:00:00 2001 From: Justin Pettit Date: Fri, 18 Dec 2009 13:43:28 -0800 Subject: [PATCH] ovs-vsctl: Support configuring SSL. --- utilities/ovs-vsctl.8.in | 54 ++++++++++++++++++++++++++++++++++ utilities/ovs-vsctl.c | 62 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 114 insertions(+), 2 deletions(-) diff --git a/utilities/ovs-vsctl.8.in b/utilities/ovs-vsctl.8.in index 16fd8497..da017e62 100644 --- a/utilities/ovs-vsctl.8.in +++ b/utilities/ovs-vsctl.8.in @@ -340,6 +340,60 @@ Deletes the configured failure mode. .IP "\fBset\-fail\-mode\fR [\fIbridge\fR] \fBstandalone\fR|\fBsecure\fR" Sets the configured failure mode. . +.SS "SSL Configuration" +When \fBovs\-vswitchd\fR is configured to connect over SSL for management or +controller connectivity, the following parameters are required: +.TP +\fBprivate-key\fR +Specifies a PEM file containing the private key used as the virtual +switch's identity for SSL connections to the controller. +.TP +\fBcertificate\fR +Specifies a PEM file containing a certificate, signed by the +certificate authority (CA) used by the controller and manager, that +certifies the virtual switch's private key, identifying a trustworthy +switch. +.TP +\fBca-cert\fR +Specifies a PEM file containing the CA certificate used to verify that +the virtual switch is connected to a trustworthy controller. +.PP +These files are read only once, at \fBovs\-vswitchd\fR startup time. If +their contents change, \fBovs\-vswitchd\fR must be killed and restarted. +.PP +These SSL settings apply to all SSL connections made by the virtual +switch. +. +.IP "\fBget\-ssl\fR" +Prints the SSL configuration. +. +.IP "\fBdel\-ssl\fR" +Deletes the current SSL configuration. +. +.IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR \fIca-cert\fR" +Sets the SSL configuration. The \fB\-\-bootstrap\fR option is described +below. +. +.ST "CA Certificate Bootstrap" +Ordinarily, all of the files named in the SSL configuration must exist +when \fBovs\-vswitchd\fR starts. However, if the \fB\-\-bootstrap\fR +option is given, then \fBovs\-vswitchd\fR will attempt to obtain the +CA certificate from the controller on its first SSL connection and +save it to the named PEM file. If it is successful, it will +immediately drop the connection and reconnect, and from then on all +SSL connections must be authenticated by a certificate signed by the +CA certificate thus obtained. +.PP +\fBThis option exposes the SSL connection to a man-in-the-middle +attack obtaining the initial CA certificate\fR, but it may be useful +for bootstrapping. +.PP +This option is only useful if the controller sends its CA certificate +as part of the SSL certificate chain. The SSL protocol does not +require the controller to send the CA certificate, but +\fBcontroller\fR(8) can be configured to do so with the +\fB--peer-ca-cert\fR option. +. .SH "EXAMPLES" Create a new bridge named br0 and add port eth0 to it: .IP diff --git a/utilities/ovs-vsctl.c b/utilities/ovs-vsctl.c index 2868c354..a63970b5 100644 --- a/utilities/ovs-vsctl.c +++ b/utilities/ovs-vsctl.c @@ -301,15 +301,23 @@ usage(void) "print the controller for BRIDGE\n" " del-controller [BRIDGE] " "delete the controller for BRIDGE\n" - " set-controller [BRIDGE] TARGET " + " set-controller [BRIDGE] TARGET " "set the controller for BRIDGE to TARGET\n" " get-fail-mode [BRIDGE] " "print the fail-mode for BRIDGE\n" " del-fail-mode [BRIDGE] " "delete the fail-mode for BRIDGE\n" - " set-fail-mode [BRIDGE] MODE " + " set-fail-mode [BRIDGE] MODE " "set the fail-mode for BRIDGE to MODE\n" ); + printf("\nSSL commands:\n" + " get-ssl " + "print the SSL configuration\n" + " del-ssl " + "delete the SSL configuration\n" + " set-ssl PRIV-KEY CERT CA-CERT " + "set the SSL configuration\n" + ); printf("\nOptions:\n" " --db=DATABASE " "connect to DATABASE\n" @@ -1397,6 +1405,51 @@ cmd_set_fail_mode(struct vsctl_context *ctx) free_info(&info); } + +static void +cmd_get_ssl(struct vsctl_context *ctx) +{ + struct ovsrec_ssl *ssl = ctx->ovs->ssl; + + if (ssl) { + ds_put_format(&ctx->output, "Private key: %s\n", ssl->private_key); + ds_put_format(&ctx->output, "Certificate: %s\n", ssl->certificate); + ds_put_format(&ctx->output, "CA Certificate: %s\n", ssl->ca_cert); + ds_put_format(&ctx->output, "Bootstrap: %s\n", + ssl->bootstrap_ca_cert ? "true" : "false"); + } +} + +static void +cmd_del_ssl(struct vsctl_context *ctx) +{ + struct ovsrec_ssl *ssl = ctx->ovs->ssl; + + if (ssl) { + ovsrec_ssl_delete(ssl); + ovsrec_open_vswitch_set_ssl(ctx->ovs, NULL); + } +} + +static void +cmd_set_ssl(struct vsctl_context *ctx) +{ + bool bootstrap = shash_find(&ctx->options, "--bootstrap"); + struct ovsrec_ssl *ssl = ctx->ovs->ssl; + + if (ssl) { + ovsrec_ssl_delete(ssl); + } + ssl = ovsrec_ssl_insert(txn_from_openvswitch(ctx->ovs)); + + ovsrec_ssl_set_private_key(ssl, ctx->argv[1]); + ovsrec_ssl_set_certificate(ssl, ctx->argv[2]); + ovsrec_ssl_set_ca_cert(ssl, ctx->argv[3]); + + ovsrec_ssl_set_bootstrap_ca_cert(ssl, bootstrap); + + ovsrec_open_vswitch_set_ssl(ctx->ovs, ssl); +} typedef void vsctl_handler_func(struct vsctl_context *); @@ -1597,6 +1650,11 @@ get_vsctl_handler(int argc, char *argv[], struct vsctl_context *ctx) {"get-fail-mode", 0, 1, cmd_get_fail_mode, ""}, {"del-fail-mode", 0, 1, cmd_del_fail_mode, ""}, {"set-fail-mode", 1, 2, cmd_set_fail_mode, ""}, + + /* SSL commands. */ + {"get-ssl", 0, 0, cmd_get_ssl, ""}, + {"del-ssl", 0, 0, cmd_del_ssl, ""}, + {"set-ssl", 3, 3, cmd_set_ssl, "--bootstrap"}, }; const struct vsctl_command *p; -- 2.30.2