SSL protocol family is not actually being used or supported in OVS.
What we use is actually TLS.
Terms "SSL" and "TLS" are often used interchangeably in modern
software and refer to the same thing, which is normally just TLS.
Let's replace "SSL" with "SSL/TLS" in documentation and user-visible
messages, where it makes sense. This may make it more clear what
is meant for a less experienced user that may look for TLS support
in OVS and not find much.
We're not changing any actual code, because, for example, most of
OpenSSL APIs are using just SSL, for historical reasons. And our
database is using "SSL" table. We may consider migrating to "TLS"
naming for user-visible configuration like command line arguments
and database names, but that will require extra work on making sure
upgrades can still work. In general, a slightly more clear
documentation should be enough for now, especially since term SSL
is still widely used in the industry.
"SSL/TLS" is chosen over "TLS/SSL" simply because our user-visible
configuration knobs are using "SSL" naming, e.g. '--ssl-cyphers'
or 'ovs-vsctl set-ssl'. So, it might be less confusing this way.
We may switch that, if we decide on re-working the user-visible
commands towards "TLS" naming, or providing both alternatives.
Some other projects did similar changes. For example, the python ssl
library is now using "TLS/SSL" in the documentation whenever possible.
Same goes for OpenSSL itself.
Signed-off-by: Ilya Maximets <[email protected]>
---
Documentation/howto/ssl.rst | 77 ++++++++++++-----------
Documentation/intro/install/general.rst | 6 +-
Documentation/ref/ovsdb.7.rst | 8 +--
debian/openvswitch-testcontroller.default | 8 +--
lib/reconnect.c | 2 +-
lib/ssl-bootstrap.man | 14 ++---
lib/ssl-bootstrap.xml | 14 ++---
lib/ssl-connect-syn.man | 2 +-
lib/ssl-connect.man | 6 +-
lib/ssl-peer-ca-cert.man | 6 +-
lib/ssl-peer-ca-cert.xml | 6 +-
lib/ssl.man | 11 ++--
lib/ssl.xml | 10 +--
lib/stream-nossl.c | 13 ++--
lib/stream-ssl.c | 36 ++++++-----
lib/stream.c | 14 ++---
lib/vconn.c | 6 +-
m4/openvswitch.m4 | 4 +-
ovsdb/local-config.xml | 19 +++---
ovsdb/ovsdb-client.1.in | 2 +-
ovsdb/ovsdb-server.c | 4 +-
python/ovs/reconnect.py | 2 +-
python/ovs/stream.py | 8 +--
tests/ofproto-macros.at | 2 +-
tests/ovsdb-idl.at | 10 +--
tests/ovsdb-server.at | 12 ++--
tests/test-ovsdb.py | 4 +-
utilities/ovs-ofctl.8.in | 4 +-
utilities/ovs-vsctl.8.in | 28 ++++-----
utilities/ovs-vsctl.c | 10 +--
vswitchd/bridge.c | 5 +-
vswitchd/vswitch.xml | 44 ++++++-------
vtep/vtep.xml | 18 +++---
33 files changed, 212 insertions(+), 203 deletions(-)
diff --git a/Documentation/howto/ssl.rst b/Documentation/howto/ssl.rst
index 5350d6ca0..0cbdbbf98 100644
--- a/Documentation/howto/ssl.rst
+++ b/Documentation/howto/ssl.rst
@@ -21,18 +21,18 @@
Avoid deeper levels because they do not render well.
-=====================
-Open vSwitch with SSL
-=====================
+=========================
+Open vSwitch with SSL/TLS
+=========================
If you plan to configure Open vSwitch to connect across the network to an
OpenFlow controller, then we recommend that you build Open vSwitch with
-OpenSSL. SSL support ensures integrity and confidentiality of the OpenFlow
+OpenSSL. SSL/TLS support ensures integrity and confidentiality of the OpenFlow
connections, increasing network security.
This document describes how to configure an Open vSwitch to connect to an
-OpenFlow controller over SSL. Refer to :doc:`/intro/install/general`. for
-instructions on building Open vSwitch with SSL support.
+OpenFlow controller over SSL/TLS. Refer to :doc:`/intro/install/general`. for
+instructions on building Open vSwitch with SSL/TLS support.
Open vSwitch uses TLS version 1.2 or later (TLSv1.2), as specified by
RFC 5246. TLSv1.2 was released in August 2008, so all current software and
@@ -41,16 +41,16 @@ hardware should implement it.
This document assumes basic familiarity with public-key cryptography and
public-key infrastructure.
-SSL Concepts for OpenFlow
--------------------------
+SSL/TLS Concepts for OpenFlow
+-----------------------------
This section is an introduction to the public-key infrastructure architectures
-that Open vSwitch supports for SSL authentication.
+that Open vSwitch supports for SSL/TLS authentication.
-To connect over SSL, every Open vSwitch must have a unique private/public key
-pair and a certificate that signs that public key. Typically, the Open vSwitch
-generates its own public/private key pair. There are two common ways to obtain
-a certificate for a switch:
+To connect over SSL/TLS, every Open vSwitch must have a unique private/public
+key pair and a certificate that signs that public key. Typically, the
+Open vSwitch generates its own public/private key pair. There are two common
+ways to obtain a certificate for a switch:
* Self-signed certificates: The Open vSwitch signs its certificate with its own
private key. In this case, each switch must be individually approved by the
@@ -149,9 +149,9 @@ created, because they could be used to impersonate the
controller.
Switch Key Generation with Self-Signed Certificates
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-If you are using self-signed certificates (see "SSL Concepts for OpenFlow"),
-this is one way to create an acceptable certificate for your controller to
-approve.
+If you are using self-signed certificates (see
+`SSL/TLS Concepts for OpenFlow`_), this is one way to create an acceptable
+certificate for your controller to approve.
1. Run the following command on the Open vSwitch itself::
@@ -178,15 +178,15 @@ approve.
have to use CA certificate bootstrapping when you configure Open vSwitch in
the next step.)
-3. Configure Open vSwitch to use the keys and certificates (see "Configuring
- SSL Support", below).
+3. Configure Open vSwitch to use the keys and certificates (see
+ `Configuring SSL/TLS Support`_, below).
Switch Key Generation with a Switch PKI (Easy Method)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-If you are using a switch PKI (see "SSL Concepts for OpenFlow", above), this
-method of switch key generation is a little easier than the alternate method
-described below, but it is also a little less secure because it requires
+If you are using a switch PKI (see `SSL/TLS Concepts for OpenFlow`_, above),
+this method of switch key generation is a little easier than the alternate
+method described below, but it is also a little less secure because it requires
copying a sensitive private key from file from the machine hosting the PKI to
the switch.
@@ -215,15 +215,15 @@ the switch.
Don't delete controllerca/cacert.pem! It is not security-sensitive and
you will need it to configure additional switches.
-4. Configure Open vSwitch to use the keys and certificates (see "Configuring
- SSL Support", below).
+4. Configure Open vSwitch to use the keys and certificates (see
+ `Configuring SSL/TLS Support`_, below).
Switch Key Generation with a Switch PKI (More Secure)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-If you are using a switch PKI (see "SSL Concepts for OpenFlow", above), then,
-compared to the previous method, the method described here takes a little more
-work, but it does not involve copying the private key from one machine to
+If you are using a switch PKI (see `SSL/TLS Concepts for OpenFlow`_, above),
+then, compared to the previous method, the method described here takes a little
+more work, but it does not involve copying the private key from one machine to
another, so it may also be a little more secure.
1. Run the following command on the Open vSwitch itself::
@@ -274,15 +274,15 @@ another, so it may also be a little more secure.
Don't delete `controllerca/cacert.pem`! It is not security-sensitive and
you will need it to configure additional switches.
-5. Configure Open vSwitch to use the keys and certificates (see "Configuring
- SSL Support", below).
+5. Configure Open vSwitch to use the keys and certificates (see
+ `Configuring SSL/TLS Support`_, below).
-Configuring SSL Support
------------------------
+Configuring SSL/TLS Support
+---------------------------
-SSL configuration requires three additional configuration files. The first two
-of these are unique to each Open vSwitch. If you used the instructions above
-to build your PKI, then these files will be named `sc-privkey.pem` and
+SSL/TLS configuration requires three additional configuration files. The first
+two of these are unique to each Open vSwitch. If you used the instructions
+above to build your PKI, then these files will be named `sc-privkey.pem` and
`sc-cert.pem`, respectively:
- A private key file, which contains the private half of an RSA or DSA key.
@@ -320,17 +320,18 @@ above. You should use absolute file names (ones that
begin with ``/``),
because ovs-vswitchd's current directory is unrelated to the one from which you
run ovs-vsctl.
-If you are using self-signed certificates (see "SSL Concepts for OpenFlow") and
-you did not copy controllerca/cacert.pem from the PKI machine to the Open
-vSwitch, then add the ``--bootstrap`` option, e.g.::
+If you are using self-signed certificates (see
+`SSL/TLS Concepts for OpenFlow`_) and you did not copy controllerca/cacert.pem
+from the PKI machine to the Open vSwitch, then add the ``--bootstrap`` option,
+e.g.::
$ ovs-vsctl -- --bootstrap set-ssl /etc/openvswitch/sc-privkey.pem \
/etc/openvswitch/sc-cert.pem /etc/openvswitch/cacert.pem
After you have added all of these configuration keys, you may specify ``ssl:``
connection methods elsewhere in the configuration database. ``tcp:``
connection
-methods are still allowed even after SSL has been configured, so for security
-you should use only ``ssl:`` connections.
+methods are still allowed even after SSL/TLS has been configured, so for
+security you should use only ``ssl:`` connections.
Reporting Bugs
--------------
diff --git a/Documentation/intro/install/general.rst
b/Documentation/intro/install/general.rst
index e8471aa46..c93381a8b 100644
--- a/Documentation/intro/install/general.rst
+++ b/Documentation/intro/install/general.rst
@@ -429,7 +429,7 @@ database that it can use::
Configure ovsdb-server to use database created above, to listen on a Unix
domain socket, to connect to any managers specified in the database itself, and
-to use the SSL configuration in the database::
+to use the SSL/TLS configuration in the database::
$ mkdir -p /usr/local/var/run/openvswitch
$ ovsdb-server --remote=punix:/usr/local/var/run/openvswitch/db.sock \
@@ -440,8 +440,8 @@ to use the SSL configuration in the database::
--pidfile --detach --log-file
.. note::
- If you built Open vSwitch without SSL support, then omit ``--private-key``,
- ``--certificate``, and ``--bootstrap-ca-cert``.)
+ If you built Open vSwitch without SSL/TLS support, then omit
+ ``--private-key``, ``--certificate``, and ``--bootstrap-ca-cert``.)
Initialize the database using ovs-vsctl. This is only necessary the first time
after you create the database with ovsdb-tool, though running it at any time is
diff --git a/Documentation/ref/ovsdb.7.rst b/Documentation/ref/ovsdb.7.rst
index a45c4ce38..42541dd7e 100644
--- a/Documentation/ref/ovsdb.7.rst
+++ b/Documentation/ref/ovsdb.7.rst
@@ -665,7 +665,7 @@ the opposite arrangement as well.
OVSDB supports the following active connection methods:
ssl:<host>:<port>
- The specified SSL or TLS <port> on the given <host>.
+ The specified SSL/TLS <port> on the given <host>.
tcp:<host>:<port>
The specified TCP <port> on the given <host>.
@@ -692,7 +692,7 @@ unix:<file>
OVSDB supports the following passive connection methods:
pssl:<port>[:<ip>]
- Listen on the given TCP <port> for SSL or TLS connections. By default,
+ Listen on the given TCP <port> for SSL/TLS connections. By default,
connections are not bound to a particular local IP address. Specifying
<ip> limits connections to those from the given IP.
@@ -725,8 +725,8 @@ versions, we encourage users to specify a port number.
The ``ssl`` and ``pssl`` connection methods requires additional configuration
through ``--private-key``, ``--certificate``, and ``--ca-cert`` command line
-options. Open vSwitch can be built without SSL support, in which case these
-connection methods are not supported.
+options. Open vSwitch can be built without SSL/TLS support, in which case
+these connection methods are not supported.
Database Life Cycle
===================
diff --git a/debian/openvswitch-testcontroller.default
b/debian/openvswitch-testcontroller.default
index c6db59570..39dfaaf54 100644
--- a/debian/openvswitch-testcontroller.default
+++ b/debian/openvswitch-testcontroller.default
@@ -4,7 +4,7 @@
#
# This is a space-delimited list of connection methods:
#
-# * "pssl:[PORT]": Listen for SSL connections on the specified PORT
+# * "pssl:[PORT]": Listen for SSL/TLS connections on the specified PORT
# (default: 6653). The private key, certificate, and CA certificate
# must be specified below.
#
@@ -14,15 +14,15 @@
LISTEN="pssl:"
# PRIVKEY: Name of file containing controller's private key.
-# Required if SSL enabled.
+# Required if SSL/TLS enabled.
PRIVKEY=/etc/openvswitch-testcontroller/privkey.pem
# CERT: Name of file containing certificate for private key.
-# Required if SSL enabled.
+# Required if SSL/TLS enabled.
CERT=/etc/openvswitch-testcontroller/cert.pem
# CACERT: Name of file containing switch CA certificate.
-# Required if SSL enabled.
+# Required if SSL/TLS enabled.
CACERT=/etc/openvswitch-testcontroller/cacert.pem
# Additional options to pass to ovs-testcontroller, e.g. "--hub"
diff --git a/lib/reconnect.c b/lib/reconnect.c
index 89a0bcaf9..918ecd203 100644
--- a/lib/reconnect.c
+++ b/lib/reconnect.c
@@ -607,7 +607,7 @@ reconnect_deadline__(const struct reconnect *fsm, long long
int now)
* connections that quickly abort, so it is OK to call
* reconnect_connected() after a low-level successful connection
* (e.g. connect()) even if the connection might soon abort due to a
- * failure at a high-level (e.g. SSL negotiation failure).
+ * failure at a high-level (e.g. SSL/TLS negotiation failure).
*
* - Passive client, RECONNECT_CONNECT: The client should try to listen for
* a connection, if it is not already listening. It should call
diff --git a/lib/ssl-bootstrap.man b/lib/ssl-bootstrap.man
index c112f9a97..239302f8b 100644
--- a/lib/ssl-bootstrap.man
+++ b/lib/ssl-bootstrap.man
@@ -2,19 +2,19 @@
When \fIcacert.pem\fR exists, this option has the same effect as
\fB\-C\fR or \fB\-\-ca\-cert\fR. If it does not exist, then
\fB\*(PN\fR will attempt to obtain the CA certificate from the
-SSL peer on its first SSL connection and save it to the named PEM
-file. If it is successful, it will immediately drop the connection
-and reconnect, and from then on all SSL connections must be
+SSL/TLS peer on its first SSL/TLS connection and save it to the named
+PEM file. If it is successful, it will immediately drop the connection
+and reconnect, and from then on all SSL/TLS connections must be
authenticated by a certificate signed by the CA certificate thus
obtained.
.IP
-\fBThis option exposes the SSL connection to a man-in-the-middle
+\fBThis option exposes the SSL/TLS connection to a man-in-the-middle
attack obtaining the initial CA certificate\fR, but it may be useful
for bootstrapping.
.IP
-This option is only useful if the SSL peer sends its CA certificate as
-part of the SSL certificate chain. The SSL protocol does not require
-the server to send the CA certificate.
+This option is only useful if the SSL/TLS peer sends its CA certificate
+as part of the SSL/TLS certificate chain. SSL/TLS protocols do not
+require the server to send the CA certificate.
.IP
This option is mutually exclusive with \fB\-C\fR and
\fB\-\-ca\-cert\fR.
diff --git a/lib/ssl-bootstrap.xml b/lib/ssl-bootstrap.xml
index 72d59522f..bf5300033 100644
--- a/lib/ssl-bootstrap.xml
+++ b/lib/ssl-bootstrap.xml
@@ -6,21 +6,21 @@
When <var>cacert.pem</var> exists, this option has the same effect
as <code>-C</code> or <code>--ca-cert</code>. If it does not exist,
then the executable will attempt to obtain the CA certificate from the
- SSL peer on its first SSL connection and save it to the named PEM
- file. If it is successful, it will immediately drop the connection
- and reconnect, and from then on all SSL connections must be
+ SSL/TLS peer on its first SSL/TLS connection and save it to the named
+ PEM file. If it is successful, it will immediately drop the connection
+ and reconnect, and from then on all SSL/TLS connections must be
authenticated by a certificate signed by the CA certificate thus
obtained.
</p>
<p>
- This option exposes the SSL connection to a man-in-the-middle
+ This option exposes the SSL/TLS connection to a man-in-the-middle
attack obtaining the initial CA certificate, but it may be useful
for bootstrapping.
</p>
<p>
- This option is only useful if the SSL peer sends its CA certificate as
- part of the SSL certificate chain. The SSL protocol does not require
- the server to send the CA certificate.
+ This option is only useful if the SSL/TLS peer sends its CA certificate
+ as part of the SSL/TLS certificate chain. SSL/TLS protocols do not
+ require the server to send the CA certificate.
</p>
<p>
This option is mutually exclusive with <code>-C</code> and
diff --git a/lib/ssl-connect-syn.man b/lib/ssl-connect-syn.man
index ed77f7868..a5ca34662 100644
--- a/lib/ssl-connect-syn.man
+++ b/lib/ssl-connect-syn.man
@@ -1,4 +1,4 @@
-.IP "SSL connection options:"
+.IP "SSL/TLS connection options:"
[\fB\-\-ssl\-protocols=\fIprotocols\fR]
.br
[\fB\-\-ssl\-ciphers=\fIciphers\fR]
diff --git a/lib/ssl-connect.man b/lib/ssl-connect.man
index 693a999b2..108850da5 100644
--- a/lib/ssl-connect.man
+++ b/lib/ssl-connect.man
@@ -1,6 +1,6 @@
.IP "\fB\-\-ssl\-protocols=\fIprotocols\fR"
-Specifies, in a comma- or space-delimited list, the SSL protocols
-\fB\*(PN\fR will enable for SSL connections. Supported
+Specifies, in a comma- or space-delimited list, the SSL/TLS protocols
+\fB\*(PN\fR will enable for SSL/TLS connections. Supported
\fIprotocols\fR include \fBTLSv1\fR (deprecated), \fBTLSv1.1\fR (deprecated),
and \fBTLSv1.2\fR.
Regardless of order, the highest protocol supported by both sides will
@@ -9,5 +9,5 @@ omitted is \fBTLSv1.2\fR or later.
.
.IP "\fB\-\-ssl\-ciphers=\fIciphers\fR"
Specifies, in OpenSSL cipher string format, the ciphers \fB\*(PN\fR will
-support for SSL connections. The default when this option is omitted is
+support for SSL/TLS connections. The default when this option is omitted is
\fBHIGH:!aNULL:!MD5\fR.
diff --git a/lib/ssl-peer-ca-cert.man b/lib/ssl-peer-ca-cert.man
index 5450b9ef4..a8aae2d36 100644
--- a/lib/ssl-peer-ca-cert.man
+++ b/lib/ssl-peer-ca-cert.man
@@ -1,13 +1,13 @@
.IP "\fB\-\-peer\-ca\-cert=\fIpeer-cacert.pem\fR"
Specifies a PEM file that contains one or more additional certificates
-to send to SSL peers. \fIpeer-cacert.pem\fR should be the CA
+to send to SSL/TLS peers. \fIpeer-cacert.pem\fR should be the CA
certificate used to sign \fB\*(PN\fR's own certificate, that is, the
certificate specified on \fB\-c\fR or \fB\-\-certificate\fR. If
\fB\*(PN\fR's certificate is self-signed, then \fB\-\-certificate\fR
and \fB\-\-peer\-ca\-cert\fR should specify the same file.
.IP
-This option is not useful in normal operation, because the SSL peer
+This option is not useful in normal operation, because the SSL/TLS peer
must already have the CA certificate for the peer to have any
confidence in \fB\*(PN\fR's identity. However, this offers a way for
-a new installation to bootstrap the CA certificate on its first SSL
+a new installation to bootstrap the CA certificate on its first SSL/TLS
connection.
diff --git a/lib/ssl-peer-ca-cert.xml b/lib/ssl-peer-ca-cert.xml
index 3d46ff511..eddc5de27 100644
--- a/lib/ssl-peer-ca-cert.xml
+++ b/lib/ssl-peer-ca-cert.xml
@@ -4,7 +4,7 @@
<dd>
<p>
Specifies a PEM file that contains one or more additional certificates
- to send to SSL peers. <var>peer-cacert.pem</var> should be the CA
+ to send to SSL/TLS peers. <var>peer-cacert.pem</var> should be the CA
certificate used to sign the program's own certificate, that is, the
certificate specified on <code>-c</code> or <code>--certificate</code>.
If the program's certificate is self-signed, then
@@ -12,10 +12,10 @@
the same file.
</p>
<p>
- This option is not useful in normal operation, because the SSL peer
+ This option is not useful in normal operation, because the SSL/TLS peer
must already have the CA certificate for the peer to have any
confidence in the program's identity. However, this offers a way for
- a new installation to bootstrap the CA certificate on its first SSL
+ a new installation to bootstrap the CA certificate on its first SSL/TLS
connection.
</p>
</dd>
diff --git a/lib/ssl.man b/lib/ssl.man
index 44a95fd68..9bec3a786 100644
--- a/lib/ssl.man
+++ b/lib/ssl.man
@@ -1,25 +1,26 @@
.IP "\fB\-p\fR \fIprivkey.pem\fR"
.IQ "\fB\-\-private\-key=\fIprivkey.pem\fR"
Specifies a PEM file containing the private key used as \fB\*(PN\fR's
-identity for outgoing SSL connections.
+identity for outgoing SSL/TLS connections.
.
.IP "\fB\-c\fR \fIcert.pem\fR"
.IQ "\fB\-\-certificate=\fIcert.pem\fR"
Specifies a PEM file containing a certificate that certifies the
private key specified on \fB\-p\fR or \fB\-\-private\-key\fR to be
trustworthy. The certificate must be signed by the certificate
-authority (CA) that the peer in SSL connections will use to verify it.
+authority (CA) that the peer in SSL/TLS connections will use to
+verify it.
.
.IP "\fB\-C\fR \fIcacert.pem\fR"
.IQ "\fB\-\-ca\-cert=\fIcacert.pem\fR"
Specifies a PEM file containing the CA certificate that \fB\*(PN\fR
-should use to verify certificates presented to it by SSL peers. (This
-may be the same certificate that SSL peers use to verify the
+should use to verify certificates presented to it by SSL/TLS peers.
+(This may be the same certificate that SSL/TLS peers use to verify the
certificate specified on \fB\-c\fR or \fB\-\-certificate\fR, or it may
be a different one, depending on the PKI design in use.)
.
.IP "\fB\-C none\fR"
.IQ "\fB\-\-ca\-cert=none\fR"
-Disables verification of certificates presented by SSL peers. This
+Disables verification of certificates presented by SSL/TLS peers. This
introduces a security risk, because it means that certificates cannot
be verified to be those of known trusted hosts.
diff --git a/lib/ssl.xml b/lib/ssl.xml
index c3a1aca58..bd2502898 100644
--- a/lib/ssl.xml
+++ b/lib/ssl.xml
@@ -4,7 +4,7 @@
<dt><code>--private-key=</code><var>privkey.pem</var></dt>
<dd>
Specifies a PEM file containing the private key used as
- identity for outgoing SSL connections.
+ identity for outgoing SSL/TLS connections.
</dd>
<dt><code>-c</code> <var>cert.pem</var></dt>
@@ -13,15 +13,15 @@
Specifies a PEM file containing a certificate that certifies the
private key specified on <code>-p</code> or <code>--private-key</code> to
be
trustworthy. The certificate must be signed by the certificate
- authority (CA) that the peer in SSL connections will use to verify it.
+ authority (CA) that the peer in SSL/TLS connections will use to verify it.
</dd>
<dt><code>-C</code> <var>cacert.pem</var></dt>
<dt><code>--ca-cert=</code><var>cacert.pem</var></dt>
<dd>
Specifies a PEM file containing the CA certificate for
- verifying certificates presented to this program by SSL peers. (This
- may be the same certificate that SSL peers use to verify the
+ verifying certificates presented to this program by SSL/TLS peers. (This
+ may be the same certificate that SSL/TLS peers use to verify the
certificate specified on <code>-c</code> or <code>--certificate</code>, or
it may
be a different one, depending on the PKI design in use.)
</dd>
@@ -29,7 +29,7 @@
<dt><code>-C none</code></dt>
<dt><code>--ca-cert=none</code></dt>
<dd>
- Disables verification of certificates presented by SSL peers. This
+ Disables verification of certificates presented by SSL/TLS peers. This
introduces a security risk, because it means that certificates cannot
be verified to be those of known trusted hosts.
</dd>
diff --git a/lib/stream-nossl.c b/lib/stream-nossl.c
index 6ea622b7c..71ef2361f 100644
--- a/lib/stream-nossl.c
+++ b/lib/stream-nossl.c
@@ -31,8 +31,9 @@ stream_ssl_is_configured(void)
OVS_NO_RETURN static void
nossl_option(const char *detail)
{
- VLOG_FATAL("%s specified but Open vSwitch was built without SSL support",
- detail);
+ VLOG_FATAL(
+ "%s specified but Open vSwitch was built without SSL/TLS support",
+ detail);
}
void
@@ -78,13 +79,13 @@ stream_ssl_set_key_and_cert(const char *private_key_file,
void
stream_ssl_set_protocols(const char *arg OVS_UNUSED)
{
- /* Ignore this option since it seems harmless to set SSL protocols if SSL
- * won't be used. */
+ /* Ignore this option since it seems harmless to set SSL/TLS protocols if
+ * SSL/TLS won't be used. */
}
void
stream_ssl_set_ciphers(const char *arg OVS_UNUSED)
{
- /* Ignore this option since it seems harmless to set SSL ciphers if SSL
- * won't be used. */
+ /* Ignore this option since it seems harmless to set SSL/TLS ciphers if
+ * SSL/TLS won't be used. */
}
diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index 36e0187f1..8928e83e0 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -64,7 +64,7 @@
VLOG_DEFINE_THIS_MODULE(stream_ssl);
-/* Active SSL. */
+/* Active SSL/TLS. */
enum ssl_state {
STATE_TCP_CONNECTING,
@@ -567,7 +567,8 @@ ssl_connect(struct stream *stream)
* certificate, but that's more trouble than it's worth. These
* connections will succeed the next time they retry, assuming that
* they have a certificate against the correct CA.) */
- VLOG_INFO("rejecting SSL connection during bootstrap race window");
+ VLOG_INFO(
+ "rejecting SSL/TLS connection during bootstrap race window");
return EPROTO;
} else {
#if OPENSSL_SUPPORTS_SNI
@@ -671,7 +672,7 @@ interpret_ssl_error(const char *function, int ret, int
error,
function, ovs_strerror(status));
return status;
} else {
- VLOG_WARN_RL(&rl, "%s: unexpected SSL connection close",
+ VLOG_WARN_RL(&rl, "%s: unexpected SSL/TLS connection close",
function);
return EPROTO;
}
@@ -873,7 +874,7 @@ const struct stream_class ssl_stream_class = {
ssl_wait, /* wait */
};
�
-/* Passive SSL. */
+/* Passive SSL/TLS. */
struct pssl_pstream
{
@@ -1056,8 +1057,8 @@ do_ssl_init(void)
/* OpenSSL has a bunch of "connection methods": SSLv2_method(),
* SSLv3_method(), TLSv1_method(), SSLv23_method(), ... Most of these
- * support exactly one version of SSL, e.g. TLSv1_method() supports TLSv1
- * only, not any earlier *or later* version. The only exception is
+ * support exactly one version of SSL/TLS, e.g. TLSv1_method() supports
+ * TLSv1 only, not any earlier *or later* version. The only exception is
* SSLv23_method(), which in fact supports *any* version of SSL and TLS.
* We don't want SSLv2 or SSLv3 support, so we turn it off below with
* SSL_CTX_set_options().
@@ -1132,7 +1133,7 @@ tmp_dh_callback(SSL *ssl OVS_UNUSED, int is_export
OVS_UNUSED, int keylength)
}
#endif
-/* Returns true if SSL is at least partially configured. */
+/* Returns true if SSL/TLS is at least partially configured. */
bool
stream_ssl_is_configured(void)
{
@@ -1243,7 +1244,7 @@ stream_ssl_set_key_and_cert(const char *private_key_file,
}
}
-/* Sets SSL ciphers based on string input. Aborts with an error message
+/* Sets SSL/TLS ciphers based on string input. Aborts with an error message
* if 'arg' is invalid. */
void
stream_ssl_set_ciphers(const char *arg)
@@ -1258,8 +1259,8 @@ stream_ssl_set_ciphers(const char *arg)
ssl_ciphers = xstrdup(arg);
}
-/* Set SSL protocols based on the string input. Aborts with an error message
- * if 'arg' is invalid. */
+/* Set SSL/TLS protocols based on the string input. Aborts with an error
+ * message if 'arg' is invalid. */
void
stream_ssl_set_protocols(const char *arg)
{
@@ -1289,7 +1290,7 @@ stream_ssl_set_protocols(const char *arg)
char *save_ptr = NULL;
char *word = strtok_r(s, " ,\t", &save_ptr);
if (word == NULL) {
- VLOG_ERR("SSL protocol settings invalid");
+ VLOG_ERR("SSL/TLS protocol settings invalid");
goto exit;
}
while (word != NULL) {
@@ -1306,7 +1307,7 @@ stream_ssl_set_protocols(const char *arg)
}
if (!no_flag) {
- VLOG_ERR("%s: SSL protocol not recognized", word);
+ VLOG_ERR("%s: SSL/TLS protocol not recognized", word);
goto exit;
}
@@ -1484,17 +1485,18 @@ stream_ssl_set_ca_cert_file__(const char *file_name,
}
/* Sets 'file_name' as the name of the file from which to read the CA
- * certificate used to verify the peer within SSL connections. If 'bootstrap'
- * is false, the file must exist. If 'bootstrap' is false, then the file is
- * read if it is exists; if it does not, then it will be created from the CA
- * certificate received from the peer on the first SSL connection. */
+ * certificate used to verify the peer within SSL/TLS connections. If
+ * 'bootstrap' is false, the file must exist. If 'bootstrap' is false, then
+ * the file is read if it is exists; if it does not, then it will be created
+ * from the CA certificate received from the peer on the first SSL/TLS
+ * connection. */
void
stream_ssl_set_ca_cert_file(const char *file_name, bool bootstrap)
{
stream_ssl_set_ca_cert_file__(file_name, bootstrap, false);
}
�
-/* SSL protocol logging. */
+/* SSL/TLS protocol logging. */
static const char *
ssl_alert_level_to_string(uint8_t type)
diff --git a/lib/stream.c b/lib/stream.c
index 6f5821689..baf01a801 100644
--- a/lib/stream.c
+++ b/lib/stream.c
@@ -131,7 +131,7 @@ stream_usage(const char *name, bool active, bool passive,
"PORT at remote HOST\n");
#ifdef HAVE_OPENSSL
printf(" ssl:HOST:PORT "
- "SSL PORT at remote HOST\n");
+ "SSL/TLS PORT at remote HOST\n");
#endif
printf(" unix:FILE "
"Unix domain socket named FILE\n");
@@ -143,14 +143,14 @@ stream_usage(const char *name, bool active, bool passive,
"listen to TCP PORT on IP\n");
#ifdef HAVE_OPENSSL
printf(" pssl:PORT[:IP] "
- "listen for SSL on PORT on IP\n");
+ "listen for SSL/TLS on PORT on IP\n");
#endif
printf(" punix:FILE "
"listen on Unix domain socket FILE\n");
}
#ifdef HAVE_OPENSSL
- printf("PKI configuration (required to use SSL):\n"
+ printf("PKI configuration (required to use SSL/TLS):\n"
" -p, --private-key=FILE file with private key\n"
" -c, --certificate=FILE file with certificate for private key\n"
" -C, --ca-cert=FILE file with peer CA certificate\n");
@@ -158,9 +158,9 @@ stream_usage(const char *name, bool active, bool passive,
printf(" --bootstrap-ca-cert=FILE file with peer CA certificate "
"to read or create\n");
}
- printf("SSL options:\n"
- " --ssl-protocols=PROTOS list of SSL protocols to enable\n"
- " --ssl-ciphers=CIPHERS list of SSL ciphers to enable\n");
+ printf("SSL/TLS options:\n"
+ " --ssl-protocols=PROTOS list of SSL/TLS protocols to enable\n"
+ " --ssl-ciphers=CIPHERS list of SSL/TLS ciphers to enable\n");
#endif
}
@@ -827,7 +827,7 @@ stream_content_type_to_string(enum stream_content_type type)
return "OpenFlow";
case STREAM_SSL:
- return "SSL";
+ return "SSL/TLS";
}
}
diff --git a/lib/vconn.c b/lib/vconn.c
index 4b1c262ea..040955d67 100644
--- a/lib/vconn.c
+++ b/lib/vconn.c
@@ -143,7 +143,7 @@ vconn_usage(bool active, bool passive, bool bootstrap
OVS_UNUSED)
"PORT (default: %d) at remote HOST\n", OFP_PORT);
#ifdef HAVE_OPENSSL
printf(" ssl:HOST[:PORT] "
- "SSL PORT (default: %d) at remote HOST\n", OFP_PORT);
+ "SSL/TLS PORT (default: %d) at remote HOST\n", OFP_PORT);
#endif
printf(" unix:FILE Unix domain socket named FILE\n");
}
@@ -155,7 +155,7 @@ vconn_usage(bool active, bool passive, bool bootstrap
OVS_UNUSED)
OFP_PORT);
#ifdef HAVE_OPENSSL
printf(" pssl:[PORT][:IP] "
- "listen for SSL on PORT (default: %d) on IP\n",
+ "listen for SSL/TLS on PORT (default: %d) on IP\n",
OFP_PORT);
#endif
printf(" punix:FILE "
@@ -163,7 +163,7 @@ vconn_usage(bool active, bool passive, bool bootstrap
OVS_UNUSED)
}
#ifdef HAVE_OPENSSL
- printf("PKI configuration (required to use SSL):\n"
+ printf("PKI configuration (required to use SSL/TLS):\n"
" -p, --private-key=FILE file with private key\n"
" -c, --certificate=FILE file with certificate for private key\n"
" -C, --ca-cert=FILE file with peer CA certificate\n");
diff --git a/m4/openvswitch.m4 b/m4/openvswitch.m4
index 47aa9da16..a6b5c783b 100644
--- a/m4/openvswitch.m4
+++ b/m4/openvswitch.m4
@@ -280,10 +280,10 @@ AC_DEFUN([OVS_CHECK_OPENSSL],
$SSL_PKG_ERRORS
-OpenFlow connections over SSL will not be supported.
+OpenFlow connections over SSL/TLS will not be supported.
(You may use --disable-ssl to suppress this warning.)])
else
- AC_MSG_ERROR([Cannot find openssl (use --disable-ssl to configure
without SSL support)])
+ AC_MSG_ERROR([Cannot find openssl (use --disable-ssl to configure
without SSL/TLS support)])
fi])
else
HAVE_OPENSSL=no
diff --git a/ovsdb/local-config.xml b/ovsdb/local-config.xml
index b502aea4c..52566505e 100644
--- a/ovsdb/local-config.xml
+++ b/ovsdb/local-config.xml
@@ -51,18 +51,18 @@
</dt>
<dd>
<p>
- The specified SSL <var>port</var> on the host at the given
+ The specified SSL/TLS <var>port</var> on the host at the given
<var>host</var>, which can either be a DNS name (if built with
- unbound library) or an IP address. A valid SSL configuration must
- be provided when this form is used, this configuration can be
- specified via command-line options or the <ref table="SSL"/>
+ unbound library) or an IP address. A valid SSL/TLS configuration
+ must be provided when this form is used, this configuration can
+ be specified via command-line options or the <ref table="SSL"/>
table.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6640.
</p>
<p>
- SSL support is an optional feature that is not always
+ SSL/TLS support is an optional feature that is not always
built as part of Open vSwitch.
</p>
</dd>
@@ -87,7 +87,8 @@
</dt>
<dd>
<p>
- Listens for SSL connections on the specified TCP <var>port</var>.
+ Listens for SSL/TLS connections on the specified TCP
+ <var>port</var>.
Specify 0 for <var>port</var> to have the kernel automatically
choose an available port. If <var>host</var>, which can either
be a DNS name (if built with unbound library) or an IP address,
@@ -96,7 +97,7 @@
<var>host</var> is an IPv6 address, wrap in square brackets,
e.g. <code>pssl:6640:[::1]</code>. If <var>host</var> is not
specified then it listens only on IPv4 (but not IPv6) addresses.
- A valid SSL configuration must be provided when this form is
+ A valid SSL/TLS configuration must be provided when this form is
used, this can be specified either via command-line options or
the <ref table="SSL"/> table.
</p>
@@ -104,8 +105,8 @@
If <var>port</var> is not specified, it defaults to 6640.
</p>
<p>
- SSL support is an optional feature that is not always built as
- part of Open vSwitch.
+ SSL/TLS support is an optional feature that is not always built
+ as part of Open vSwitch.
</p>
</dd>
<dt>
diff --git a/ovsdb/ovsdb-client.1.in b/ovsdb/ovsdb-client.1.in
index 91e0b3e25..c15804597 100644
--- a/ovsdb/ovsdb-client.1.in
+++ b/ovsdb/ovsdb-client.1.in
@@ -368,7 +368,7 @@ effect.
.SS "Public Key Infrastructure Options"
.so lib/ssl.man
.so lib/ssl-bootstrap.man
-.SS "SSL Connection Options"
+.SS "SSL/TLS Connection Options"
.so lib/ssl-connect.man
.SS "Other Options"
.so lib/ovs-replay.man
diff --git a/ovsdb/ovsdb-server.c b/ovsdb/ovsdb-server.c
index a876f8bcf..13c7543cc 100644
--- a/ovsdb/ovsdb-server.c
+++ b/ovsdb/ovsdb-server.c
@@ -67,7 +67,7 @@
VLOG_DEFINE_THIS_MODULE(ovsdb_server);
-/* SSL configuration. */
+/* SSL/TLS configuration. */
static char *private_key_file;
static char *certificate_file;
static char *ca_cert_file;
@@ -692,7 +692,7 @@ reconfigure_ovsdb_server(struct server_config
*server_config)
} else {
error = reconfigure_ssl(server_config->all_dbs);
if (error) {
- VLOG_WARN("failed to configure SSL: %s", error);
+ VLOG_WARN("failed to configure SSL/TLS: %s", error);
res = false;
}
}
diff --git a/python/ovs/reconnect.py b/python/ovs/reconnect.py
index 6b0d023ae..6b8e49afd 100644
--- a/python/ovs/reconnect.py
+++ b/python/ovs/reconnect.py
@@ -537,7 +537,7 @@ class Reconnect(object):
connections that quickly abort, so it is OK to call
self.connected() after a low-level successful connection
(e.g. connect()) even if the connection might soon abort due to a
- failure at a high-level (e.g. SSL negotiation failure).
+ failure at a high-level (e.g. SSL/TLS negotiation failure).
- Passive client, ovs.reconnect.CONNECT: The client should try to
listen for a connection, if it is not already listening. It
diff --git a/python/ovs/stream.py b/python/ovs/stream.py
index 4fa91beea..5578b7a6b 100644
--- a/python/ovs/stream.py
+++ b/python/ovs/stream.py
@@ -728,7 +728,7 @@ def usage(name):
Active %s connection methods:
unix:FILE Unix domain socket named FILE
tcp:HOST:PORT TCP socket to HOST with port no of PORT
- ssl:HOST:PORT SSL socket to HOST with port no of PORT
+ ssl:HOST:PORT SSL/TLS socket to HOST with port no of PORT
Passive %s connection methods:
punix:FILE Listen on Unix domain socket FILE""" % (name, name)
@@ -797,7 +797,7 @@ class SSLStream(Stream):
ctx.options |= ssl.OP_NO_SSLv3
ctx.options |= ssl.OP_NO_TLSv1
ctx.options |= ssl.OP_NO_TLSv1_1
- # If the client has not set the SSL configuration files
+ # If the client has not set the SSL/TLS configuration files
# exception would be raised.
ctx.load_verify_locations(Stream._SSL_ca_cert_file)
ctx.load_cert_chain(Stream._SSL_certificate_file,
@@ -821,7 +821,7 @@ class SSLStream(Stream):
if retval:
return retval
- # TCP Connection is successful. Now do the SSL handshake
+ # TCP Connection is successful. Now do the SSL/TLS handshake.
try:
self.socket.do_handshake()
except ssl.SSLWantReadError:
@@ -864,5 +864,5 @@ class SSLStream(Stream):
if ssl:
- # Register SSL only if the OpenSSL module is available
+ # Register SSL/TLS only if the OpenSSL module is available.
Stream.register_method("ssl", SSLStream)
diff --git a/tests/ofproto-macros.at b/tests/ofproto-macros.at
index c27d96177..779a054e8 100644
--- a/tests/ofproto-macros.at
+++ b/tests/ofproto-macros.at
@@ -46,7 +46,7 @@ s/unix#[0-9]*:/unix:/
# PARSE_LISTENING_PORT LOGFILE VARIABLE
#
-# Parses the TCP or SSL port on which a server is listening from
+# Parses the TCP or SSL/TLS port on which a server is listening from
# LOGFILE, given that the server was told to listen on a kernel-chosen
# port, and assigns the port number to shell VARIABLE. You should
# specify the listening remote as ptcp:0:127.0.0.1 or
diff --git a/tests/ovsdb-idl.at b/tests/ovsdb-idl.at
index 72e5bff16..f9f79f194 100644
--- a/tests/ovsdb-idl.at
+++ b/tests/ovsdb-idl.at
@@ -256,14 +256,14 @@ m4_define([OVSDB_CHECK_IDL_TCP6_MULTIPLE_REMOTES_PY],
OVSDB_SERVER_SHUTDOWN
AT_CLEANUP])
-# same as OVSDB_CHECK_IDL but uses the Python IDL implementation with SSL
+# same as OVSDB_CHECK_IDL but uses the Python IDL implementation with SSL/TLS
m4_define([OVSDB_CHECK_IDL_SSL_PY],
- [AT_SETUP([ovsdb-idl - $1 - Python3 - SSL])
+ [AT_SETUP([ovsdb-idl - $1 - Python3 - SSL/TLS])
AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
$PYTHON3 -c "import ssl"
SSL_PRESENT=$?
AT_SKIP_IF([test $SSL_PRESENT != 0])
- AT_KEYWORDS([ovsdb server idl positive Python with ssl socket $5])
+ AT_KEYWORDS([ovsdb server idl positive Python with ssl tls socket $5])
AT_CHECK([ovsdb-tool create db $abs_srcdir/idltest.ovsschema],
[0], [stdout], [ignore])
PKIDIR=$abs_top_builddir/tests
@@ -288,7 +288,7 @@ m4_define([OVSDB_CHECK_IDL_SSL_PY],
AT_CHECK([sort stdout | uuidfilt]m4_if([$6],,, [[| $6]]),
[0], [$4])
OVSDB_SERVER_SHUTDOWN(["
- /unexpected SSL connection close/d
+ /unexpected SSL\/TLS connection close/d
/Protocol error/d
"])
AT_CLEANUP])
@@ -2473,7 +2473,7 @@ m4_define([CHECK_STREAM_OPEN_BLOCK],
AT_CHECK([$2 PROTOCOL:$4:$WRONG_PORT $SSL_KEY_ARGS], [1], [ignore],
[ignore])
OVSDB_SERVER_SHUTDOWN(["
- /unexpected SSL connection close/d
+ /unexpected SSL\/TLS connection close/d
/Protocol error/d
"])
AT_CHECK([$2 PROTOCOL:$4:$TCP_PORT $SSL_KEY_ARGS], [1], [ignore], [ignore])
diff --git a/tests/ovsdb-server.at b/tests/ovsdb-server.at
index 36caf9202..320a8c6a9 100644
--- a/tests/ovsdb-server.at
+++ b/tests/ovsdb-server.at
@@ -824,8 +824,8 @@ OVSDB_SERVER_SHUTDOWN(["
"])
AT_CLEANUP
-AT_SETUP([SSL db: implementation])
-AT_KEYWORDS([ovsdb server positive ssl $5])
+AT_SETUP([SSL/TLS db: implementation])
+AT_KEYWORDS([ovsdb server positive ssl tls $5])
AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
# For this test, we pass PKIDIR through a ovsdb-tool transact and
# msys on Windows does not convert the path style automatically.
@@ -1604,7 +1604,7 @@ AT_CHECK([test $(get_memory_value atoms) -eq
$db_atoms_before_conversion])
OVSDB_SERVER_SHUTDOWN
AT_CLEANUP
�
-AT_BANNER([OVSDB -- ovsdb-server transactions (SSL IPv4 sockets)])
+AT_BANNER([OVSDB -- ovsdb-server transactions (SSL/TLS IPv4 sockets)])
# OVSDB_CHECK_EXECUTION(TITLE, SCHEMA, TRANSACTIONS, OUTPUT, [KEYWORDS])
#
@@ -1622,7 +1622,7 @@ AT_BANNER([OVSDB -- ovsdb-server transactions (SSL IPv4
sockets)])
# TITLE is provided to AT_SETUP and KEYWORDS to AT_KEYWORDS.
m4_define([OVSDB_CHECK_EXECUTION],
[AT_SETUP([$1])
- AT_KEYWORDS([ovsdb server positive ssl $5])
+ AT_KEYWORDS([ovsdb server positive ssl tls $5])
AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
$2 > schema
PKIDIR=$abs_top_builddir/tests
@@ -1640,7 +1640,7 @@ cat stdout >> output
EXECUTION_EXAMPLES
-AT_BANNER([OVSDB -- ovsdb-server transactions (SSL IPv6 sockets)])
+AT_BANNER([OVSDB -- ovsdb-server transactions (SSL/TLS IPv6 sockets)])
# OVSDB_CHECK_EXECUTION(TITLE, SCHEMA, TRANSACTIONS, OUTPUT, [KEYWORDS])
#
@@ -1658,7 +1658,7 @@ AT_BANNER([OVSDB -- ovsdb-server transactions (SSL IPv6
sockets)])
# TITLE is provided to AT_SETUP and KEYWORDS to AT_KEYWORDS.
m4_define([OVSDB_CHECK_EXECUTION],
[AT_SETUP([$1])
- AT_KEYWORDS([ovsdb server positive ssl6 $5])
+ AT_KEYWORDS([ovsdb server positive ssl6 ssl tls $5])
AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
AT_SKIP_IF([test $HAVE_IPV6 = no])
$2 > schema
diff --git a/tests/test-ovsdb.py b/tests/test-ovsdb.py
index 60752ef4a..57fc1d449 100644
--- a/tests/test-ovsdb.py
+++ b/tests/test-ovsdb.py
@@ -745,7 +745,7 @@ def do_idl(schema_file, remote, *commands):
if remote.startswith("ssl:"):
if len(commands) < 3:
- sys.stderr.write("SSL connection requires private key, "
+ sys.stderr.write("SSL/TLS connection requires private key, "
"certificate for private key, and peer CA "
"certificate as arguments\n")
sys.exit(1)
@@ -970,7 +970,7 @@ def do_idl_cluster(schema_file, remote, pid, *commands):
if remote.startswith("ssl:"):
if len(commands) < 3:
- sys.stderr.write("SSL connection requires private key, "
+ sys.stderr.write("SSL/TLS connection requires private key, "
"certificate for private key, and peer CA "
"certificate as arguments\n")
sys.exit(1)
diff --git a/utilities/ovs-ofctl.8.in b/utilities/ovs-ofctl.8.in
index d0f99f2bb..dc26d7835 100644
--- a/utilities/ovs-ofctl.8.in
+++ b/utilities/ovs-ofctl.8.in
@@ -722,8 +722,8 @@ Non-OpenFlow packets are ignored. By default, data on TCP
ports 6633
and 6653 are considered to be OpenFlow. Specify one or more
\fIport\fR arguments to override the default.
.IP
-This command cannot usefully print SSL encrypted traffic. It does not
-understand IPv6.
+This command cannot usefully print SSL/TLS encrypted traffic. It does
+not understand IPv6.
.
.SS "Flow Syntax"
.PP
diff --git a/utilities/ovs-vsctl.8.in b/utilities/ovs-vsctl.8.in
index 5ce949df4..575b7c0bf 100644
--- a/utilities/ovs-vsctl.8.in
+++ b/utilities/ovs-vsctl.8.in
@@ -155,7 +155,7 @@ Prints a brief overview of the database contents.
.
.IP "\fBemer\-reset\fR"
Reset the configuration into a clean state. It deconfigures OpenFlow
-controllers, OVSDB servers, and SSL, and deletes port mirroring,
+controllers, OVSDB servers, and SSL/TLS, and deletes port mirroring,
\fBfail_mode\fR, NetFlow, sFlow, and IPFIX configuration. This
command also removes all \fBother\-config\fR keys from all database
records, except that \fBother\-config:hwaddr\fR is preserved if it is
@@ -479,13 +479,13 @@ Sets the configured manager target or targets.
Each \fItarget\fR may be an OVSDB active or passive connection method,
e.g. \fBpssl:6640\fR, as described in \fBovsdb\fR(7).
.
-.SS "SSL Configuration"
-When \fBovs\-vswitchd\fR is configured to connect over SSL for management or
-controller connectivity, the following parameters are required:
+.SS "SSL/TLS Configuration"
+When \fBovs\-vswitchd\fR is configured to connect over SSL/TLS for management
+or controller connectivity, the following parameters are required:
.TP
\fIprivate-key\fR
Specifies a PEM file containing the private key used as the virtual
-switch's identity for SSL connections to the controller.
+switch's identity for SSL/TLS connections to the controller.
.TP
\fIcertificate\fR
Specifies a PEM file containing a certificate, signed by the
@@ -500,37 +500,37 @@ the virtual switch is connected to a trustworthy
controller.
These files are read only once, at \fBovs\-vswitchd\fR startup time. If
their contents change, \fBovs\-vswitchd\fR must be killed and restarted.
.PP
-These SSL settings apply to all SSL connections made by the virtual
+These SSL/TLS settings apply to all SSL/TLS connections made by the virtual
switch.
.
.IP "\fBget\-ssl\fR"
-Prints the SSL configuration.
+Prints the SSL/TLS configuration.
.
.IP "\fBdel\-ssl\fR"
-Deletes the current SSL configuration.
+Deletes the current SSL/TLS configuration.
.
.IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR
\fIca-cert\fR"
-Sets the SSL configuration. The \fB\-\-bootstrap\fR option is described
+Sets the SSL/TLS configuration. The \fB\-\-bootstrap\fR option is described
below.
.
.ST "CA Certificate Bootstrap"
.PP
-Ordinarily, all of the files named in the SSL configuration must exist
+Ordinarily, all of the files named in the SSL/TLS configuration must exist
when \fBovs\-vswitchd\fR starts. However, if the \fIca-cert\fR file
does not exist and the \fB\-\-bootstrap\fR
option is given, then \fBovs\-vswitchd\fR will attempt to obtain the
-CA certificate from the controller on its first SSL connection and
+CA certificate from the controller on its first SSL/TLS connection and
save it to the named PEM file. If it is successful, it will
immediately drop the connection and reconnect, and from then on all
-SSL connections must be authenticated by a certificate signed by the
+SSL/TLS connections must be authenticated by a certificate signed by the
CA certificate thus obtained.
.PP
-\fBThis option exposes the SSL connection to a man-in-the-middle
+\fBThis option exposes the SSL/TLS connection to a man-in-the-middle
attack obtaining the initial CA certificate\fR, but it may be useful
for bootstrapping.
.PP
This option is only useful if the controller sends its CA certificate
-as part of the SSL certificate chain. The SSL protocol does not
+as part of the SSL/TLS certificate chain. SSL/TLS protocols do not
require the controller to send the CA certificate.
.
.SS "Auto-Attach Commands"
diff --git a/utilities/ovs-vsctl.c b/utilities/ovs-vsctl.c
index edef0f18e..dd494622f 100644
--- a/utilities/ovs-vsctl.c
+++ b/utilities/ovs-vsctl.c
@@ -429,10 +429,10 @@ Manager commands:\n\
[--inactivity-probe=MSECS]\n\
set-manager TARGET... set the list of managers to TARGET...\n\
\n\
-SSL commands:\n\
- get-ssl print the SSL configuration\n\
- del-ssl delete the SSL configuration\n\
- set-ssl PRIV-KEY CERT CA-CERT set the SSL configuration\n\
+SSL/TLS commands:\n\
+ get-ssl print the SSL/TLS configuration\n\
+ del-ssl delete the SSL/TLS configuration\n\
+ set-ssl PRIV-KEY CERT CA-CERT set the SSL/TLS configuration\n\
\n\
Auto Attach commands:\n\
add-aa-mapping BRIDGE I-SID VLAN add Auto Attach mapping to BRIDGE\n\
@@ -3254,7 +3254,7 @@ static const struct ctl_command_syntax vsctl_commands[] =
{
{"set-manager", 1, INT_MAX, "TARGET...", pre_manager, cmd_set_manager,
NULL, "--inactivity-probe=", RW},
- /* SSL commands. */
+ /* SSL/TLS commands. */
{"get-ssl", 0, 0, "", pre_cmd_get_ssl, cmd_get_ssl, NULL, "", RO},
{"del-ssl", 0, 0, "", pre_cmd_del_ssl, cmd_del_ssl, NULL, "", RW},
{"set-ssl", 3, 3, "PRIVATE-KEY CERTIFICATE CA-CERT", pre_cmd_set_ssl,
diff --git a/vswitchd/bridge.c b/vswitchd/bridge.c
index 6bb687f4b..310c623bb 100644
--- a/vswitchd/bridge.c
+++ b/vswitchd/bridge.c
@@ -3417,12 +3417,13 @@ bridge_run(void)
bridge_run__();
- /* Re-configure SSL. We do this on every trip through the main loop,
+ /* Re-configure SSL/TLS. We do this on every trip through the main loop,
* instead of just when the database changes, because the contents of the
* key and certificate files can change without the database changing.
*
* We do this before bridge_reconfigure() because that function might
- * initiate SSL connections and thus requires SSL to be configured. */
+ * initiate SSL/TLS connections and thus requires SSL/TLS to be configured.
+ */
if (cfg && cfg->ssl) {
const struct ovsrec_ssl *ssl = cfg->ssl;
diff --git a/vswitchd/vswitch.xml b/vswitchd/vswitch.xml
index 762558459..531af4320 100644
--- a/vswitchd/vswitch.xml
+++ b/vswitchd/vswitch.xml
@@ -64,7 +64,7 @@
</column>
<column name="ssl">
- SSL used globally by the daemon.
+ SSL/TLS used globally by the daemon.
</column>
<column name="external_ids" key="system-id">
@@ -5467,14 +5467,14 @@ ovs-vsctl add-port br0 p0 -- set Interface p0
type=patch options:peer=p1 \
<dl>
<dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
- <p>The specified SSL <var>port</var> on the host at the
+ <p>The specified SSL/TLS <var>port</var> on the host at the
given <var>host</var>, which can either be a DNS name (if built
with unbound library) or an IP address. The <ref
table="Open_vSwitch"
column="ssl"/> column in the <ref table="Open_vSwitch"/> table must
- point to a valid SSL configuration when this form is used.</p>
+ point to a valid SSL/TLS configuration when this form is used.</p>
<p>If <var>port</var> is not specified, it defaults to 6653.</p>
- <p>SSL support is an optional feature that is not always built as
- part of Open vSwitch.</p>
+ <p>SSL/TLS support is an optional feature that is not always built
+ as part of Open vSwitch.</p>
</dd>
<dt><code>tcp:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
@@ -5497,7 +5497,8 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch
options:peer=p1 \
<dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
- Listens for SSL connections on the specified TCP <var>port</var>.
+ Listens for SSL/TLS connections on the specified TCP
+ <var>port</var>.
If <var>host</var>, which can either be a DNS name (if built with
unbound library) or an IP address, is specified, then connections
are restricted to the resolved or specified local IP address
@@ -5510,14 +5511,14 @@ ovs-vsctl add-port br0 p0 -- set Interface p0
type=patch options:peer=p1 \
IPv4 (but not IPv6) addresses. The
<ref table="Open_vSwitch" column="ssl"/>
column in the <ref table="Open_vSwitch"/> table must point to a
- valid SSL configuration when this form is used.
+ valid SSL/TLS configuration when this form is used.
</p>
<p>
If <var>port</var> is not specified, it currently to 6653.
</p>
<p>
- SSL support is an optional feature that is not always built as
- part of Open vSwitch.
+ SSL/TLS support is an optional feature that is not always built
+ as part of Open vSwitch.
</p>
</dd>
<dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
@@ -5887,18 +5888,18 @@ ovs-vsctl add-port br0 p0 -- set Interface p0
type=patch options:peer=p1 \
<dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
- The specified SSL <var>port</var> on the host at the given
+ The specified SSL/TLS <var>port</var> on the host at the given
<var>host</var>, which can either be a DNS name (if built with
unbound library) or an IP address. The <ref table="Open_vSwitch"
column="ssl"/> column in the <ref table="Open_vSwitch"/>
- table must point to a valid SSL configuration when this
+ table must point to a valid SSL/TLS configuration when this
form is used.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6640.
</p>
<p>
- SSL support is an optional feature that is not always
+ SSL/TLS support is an optional feature that is not always
built as part of Open vSwitch.
</p>
</dd>
@@ -5919,7 +5920,8 @@ ovs-vsctl add-port br0 p0 -- set Interface p0 type=patch
options:peer=p1 \
<dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
- Listens for SSL connections on the specified TCP <var>port</var>.
+ Listens for SSL/TLS connections on the specified TCP
+ <var>port</var>.
Specify 0 for <var>port</var> to have the kernel automatically
choose an available port. If <var>host</var>, which can either
be a DNS name (if built with unbound library) or an IP address,
@@ -5929,15 +5931,15 @@ ovs-vsctl add-port br0 p0 -- set Interface p0
type=patch options:peer=p1 \
e.g. <code>pssl:6640:[::1]</code>. If <var>host</var> is not
specified then it listens only on IPv4 (but not IPv6) addresses.
The <ref table="Open_vSwitch" column="ssl"/> column in the <ref
- table="Open_vSwitch"/> table must point to a valid SSL
+ table="Open_vSwitch"/> table must point to a valid SSL/TLS
configuration when this form is used.
</p>
<p>
If <var>port</var> is not specified, it defaults to 6640.
</p>
<p>
- SSL support is an optional feature that is not always built as
- part of Open vSwitch.
+ SSL/TLS support is an optional feature that is not always built
+ as part of Open vSwitch.
</p>
</dd>
<dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
@@ -6716,11 +6718,11 @@ ovs-vsctl add-port br0 p0 -- set Interface p0
type=patch options:peer=p1 \
</table>
<table name="SSL">
- SSL configuration for an Open_vSwitch.
+ SSL/TLS configuration for an Open_vSwitch.
<column name="private_key">
Name of a PEM file containing the private key used as the switch's
- identity for SSL connections to the controller.
+ identity for SSL/TLS connections to the controller.
</column>
<column name="certificate">
@@ -6737,12 +6739,12 @@ ovs-vsctl add-port br0 p0 -- set Interface p0
type=patch options:peer=p1 \
<column name="bootstrap_ca_cert">
If set to <code>true</code>, then Open vSwitch will attempt to
- obtain the CA certificate from the controller on its first SSL
+ obtain the CA certificate from the controller on its first SSL/TLS
connection and save it to the named PEM file. If it is successful,
it will immediately drop the connection and reconnect, and from then
- on all SSL connections must be authenticated by a certificate signed
+ on all SSL/TLS connections must be authenticated by a certificate signed
by the CA certificate thus obtained. <em>This option exposes the
- SSL connection to a man-in-the-middle attack obtaining the initial
+ SSL/TLS connection to a man-in-the-middle attack obtaining the initial
CA certificate.</em> It may still be useful for bootstrapping.
</column>
diff --git a/vtep/vtep.xml b/vtep/vtep.xml
index 927efed5f..903dadf90 100644
--- a/vtep/vtep.xml
+++ b/vtep/vtep.xml
@@ -119,12 +119,12 @@
<dt><code>ssl:<var>host</var></code>[<code>:<var>port</var></code>]</dt>
<dd>
<p>
- The specified SSL <var>port</var> (default: 6640) on the given
- <var>host</var>, which can either be a DNS name (if built with
- unbound library) or an IP address.
+ The specified SSL/TLS <var>port</var> (default: 6640) on the
+ given <var>host</var>, which can either be a DNS name (if built
+ with unbound library) or an IP address.
</p>
<p>
- SSL key and certificate configuration happens outside the
+ SSL/TLS key and certificate configuration happens outside the
database.
</p>
</dd>
@@ -138,11 +138,11 @@
<dt><code>pssl:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
<dd>
<p>
- Listens for SSL connections on the specified TCP <var>port</var>
- (default: 6640). If <var>host</var>, which can either be a DNS
- name (if built with unbound library) or an IP address, is
- specified, then connections are restricted to the resolved or
- specified local IP address.
+ Listens for SSL/TLS connections on the specified TCP
+ <var>port</var> (default: 6640). If <var>host</var>, which can
+ either be a DNS name (if built with unbound library) or an IP
+ address, is specified, then connections are restricted to the
+ resolved or specified local IP address.
</p>
</dd>
<dt><code>ptcp:</code>[<var>port</var>][<code>:<var>host</var></code>]</dt>
--
2.47.0
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
