lib/ssl-bootstrap.man \
lib/ssl-bootstrap-syn.man \
lib/ssl-peer-ca-cert.man \
+ lib/ssl-peer-ca-cert-syn.man \
lib/ssl.man \
lib/ssl-syn.man \
lib/table.man \
reconnect_connect_failed(s->reconnect, time_msec(), error);
stream_close(s->stream);
s->stream = NULL;
+ s->last_error = error;
}
}
.br
-[\fB\-\-bootstrap\-ca\-cert=\fIcacert.pem]
+[\fB\-\-bootstrap\-ca\-cert=\fIcacert.pem\fR]
--- /dev/null
+.br
+[\fB\-\-peer\-ca\-cert=\fIpeer-cacert.pem\fR]
lib/service.man \
lib/ssl-bootstrap-syn.man \
lib/ssl-bootstrap.man \
+ lib/ssl-peer-ca-cert-syn.man \
+ lib/ssl-peer-ca-cert.man \
lib/ssl-syn.man \
lib/ssl.man \
lib/unixctl-syn.man \
lib/service.man:
lib/ssl-bootstrap-syn.man:
lib/ssl-bootstrap.man:
+lib/ssl-peer-ca-cert-syn.man:
+lib/ssl-peer-ca-cert.man:
lib/ssl-syn.man:
lib/ssl.man:
lib/unixctl-syn.man:
.so lib/vlog-syn.man
.so lib/ssl-syn.man
.so lib/ssl-bootstrap-syn.man
+.so lib/ssl-peer-ca-cert-syn.man
.so lib/unixctl-syn.man
.so lib/common-syn.man
.
one row in \fItable\fR.)
.so lib/ssl.man
.so lib/ssl-bootstrap.man
+.so lib/ssl-peer-ca-cert.man
.SS "Other Options"
.so lib/unixctl.man
.so lib/common.man
OPT_UNIXCTL,
OPT_RUN,
OPT_BOOTSTRAP_CA_CERT,
+ OPT_PEER_CA_CERT,
VLOG_OPTION_ENUMS,
DAEMON_OPTION_ENUMS
};
DAEMON_LONG_OPTIONS,
VLOG_LONG_OPTIONS,
{"bootstrap-ca-cert", required_argument, NULL, OPT_BOOTSTRAP_CA_CERT},
+ {"peer-ca-cert", required_argument, NULL, OPT_PEER_CA_CERT},
{"private-key", required_argument, NULL, 'p'},
{"certificate", required_argument, NULL, 'c'},
{"ca-cert", required_argument, NULL, 'C'},
bootstrap_ca_cert = true;
break;
+ case OPT_PEER_CA_CERT:
+ stream_ssl_set_peer_ca_cert_file(optarg);
+ break;
+
case '?':
exit(EXIT_FAILURE);
OVS_VSCTL_CLEANUP
AT_CLEANUP
+
+AT_SETUP([peer ca cert])
+AT_KEYWORDS([ovs-vsctl ssl])
+AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
+PKIDIR=`pwd`
+OVS_PKI="sh $abs_top_srcdir/utilities/ovs-pki.in --dir=$PKIDIR/pki --log=$PKIDIR/ovs-pki.log"
+$OVS_PKI -B 1024 init && \
+$OVS_PKI -B 1024 req+sign vsctl switch && \
+$OVS_PKI -B 1024 req ovsdbserver && $OVS_PKI self-sign ovsdbserver
+
+dnl Create database.
+touch .conf.db.~lock~
+AT_CHECK([ovsdb-tool create conf.db $abs_top_srcdir/vswitchd/vswitch.ovsschema])
+AT_CHECK([ovsdb-server --detach --no-chdir --pidfile="`pwd`"/pid --private-key=$PKIDIR/ovsdbserver-privkey.pem --certificate=$PKIDIR/ovsdbserver-cert.pem --ca-cert=$PKIDIR/pki/switchca/cacert.pem --peer-ca-cert=$PKIDIR/ovsdbserver-cert.pem --remote=pssl:0:127.0.0.1 --unixctl="`pwd`"/unixctl --log-file="`pwd`"/ovsdb-server.log conf.db], [0], [ignore], [ignore])
+ON_EXIT_UNQUOTED([kill `cat pid`])
+SSL_PORT=`parse_listening_port < ovsdb-server.log`
+
+# During bootstrap, the connection gets torn down. So the o/p of ovs-vsctl is error.
+AT_CHECK([ovs-vsctl -t 5 --db=ssl:127.0.0.1:$SSL_PORT --private-key=$PKIDIR/vsctl-privkey.pem --certificate=$PKIDIR/vsctl-cert.pem --bootstrap-ca-cert=$PKIDIR/cacert.pem show], [1], [ignore], [ignore])
+
+# If the bootstrap was successful, the following file should exist.
+OVS_WAIT_UNTIL([test -e $PKIDIR/cacert.pem])
+OVSDB_SERVER_SHUTDOWN
+AT_CLEANUP