diff options
author | Ben Pfaff <blp@nicira.com> | 2009-12-21 13:10:55 -0800 |
---|---|---|
committer | Ben Pfaff <blp@nicira.com> | 2010-01-06 14:10:54 -0800 |
commit | 84ee7bcfdeed0abe9306e6375934b224b527f1d3 (patch) | |
tree | 2c5212fee34aa589e69f6701a35fcbbdf9d32597 /lib/ssl-bootstrap.man | |
parent | d8b30702057c18dac2f35fd766ef5d2a12786eae (diff) | |
download | openvswitch-84ee7bcfdeed0abe9306e6375934b224b527f1d3.tar.gz |
Factor vconn and SSL documentation into manpage include files.
Diffstat (limited to 'lib/ssl-bootstrap.man')
-rw-r--r-- | lib/ssl-bootstrap.man | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/lib/ssl-bootstrap.man b/lib/ssl-bootstrap.man new file mode 100644 index 000000000..178350d91 --- /dev/null +++ b/lib/ssl-bootstrap.man @@ -0,0 +1,22 @@ +.IP "\fB\-\-bootstrap\-ca\-cert=\fIcacert.pem\fR" +When \fIcacert.pem\fR exists, this option has the same effect as +\fB\-C\fR or \fB\-\-ca\-cert\fR. If it does not exist, then +\fB\*(PN\fR will attempt to obtain the CA certificate from the +SSL peer on its first SSL connection and save it to the named PEM +file. If it is successful, it will immediately drop the connection +and reconnect, and from then on all SSL connections must be +authenticated by a certificate signed by the CA certificate thus +obtained. +.IP +\fBThis option exposes the SSL connection to a man-in-the-middle +attack obtaining the initial CA certificate\fR, but it may be useful +for bootstrapping. +.IP +This option is only useful if the SSL peer sends its CA certificate as +part of the SSL certificate chain. The SSL protocol does not require +the controller to send the CA certificate, but +\fBovs\-controller\fR(8) can be configured to do so with the +\fB\-\-peer\-ca\-cert\fR option. +.IP +This option is mutually exclusive with \fB-C\fR and +\fB\-\-ca\-cert\fR. |