Re: [OVSDB-TLS] Probe failed to OVSDB switch.


Jamo Luhrsen <jluhrsen@...>
 

Hey Vamsi,

like I noted in my other email about SSL+Restconf, if you've learned anything
that you can update the wiki with for this OVSDB+SSL, please feel free. It's
open for anyone to help keep things correct.

Thanks,
JamO

On 01/04/2018 10:14 AM, A Vamsikrishna wrote:
Hi Mohamed,

 

Sorry!!! That’s a typo in previous email. It’s working after setting as *<use-mdsal>false<use-mdsal>*

* *

Any idea about the non-working cipher issue ?

 

Thanks,

Vamsi

 

*From:*ovsdb-dev-bounces@... [mailto:ovsdb-dev-bounces@...] *On Behalf Of *A Vamsikrishna
*Sent:* Thursday, January 04, 2018 11:40 PM
*To:* Mohamed El-Serngawy <m.elserngawy@...>
*Cc:* ovsdb-dev@...
*Subject:* Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.

 

Hi Mohamed,

 

It worked after setting below tag to true J

 

*<use-mdsal>false<use-mdsal>*

 

 

I have attached all the steps that I have followed for reference.

 

After adding cipher suite it’s working for *TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256* but not for
*TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256.*

 

Below are the logs:

 

tack@ubuntu:/var/log/openvswitch$ *tail -5 ovsdb-server.log*

2018-01-02T21:44:45.533Z|12079|reconnect|INFO|ssl:192.168.56.1:6640: waiting 8 seconds before reconnect

2018-01-02T21:44:53.535Z|12080|reconnect|INFO|ssl:192.168.56.1:6640: connecting...

*2018-01-02T21:44:53.539Z|12081|stream_ssl|WARN|SSL_connect: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake failure*

2018-01-02T21:44:53.539Z|12082|reconnect|INFO|ssl:192.168.56.1:6640: connection attempt failed (Protocol error)

2018-01-02T21:44:53.539Z|12083|reconnect|INFO|ssl:192.168.56.1:6640: waiting 8 seconds before reconnect

stack@ubuntu:/var/log/openvswitch$

 

 

47. NOK org.opendaylight.ovsdb.hwvtepsouthbound-impl: OSGi state = Active, Karaf bundleState = GracePeriod, due to: Blueprint

1/4/18 11:32 PM

Missing dependencies:

(objectClass=org.opendaylight.ovsdb.lib.OvsdbConnection) (objectClass=org.opendaylight.controller.md.sal.binding.api.DataBroker)

 

48. NOK org.opendaylight.ovsdb.library: OSGi state = Active, Karaf bundleState = GracePeriod, due to: Blueprint

1/4/18 11:32 PM

Missing dependencies:

(objectClass=org.opendaylight.aaa.cert.api.ICertificateManager)

 

49. NOK org.opendaylight.ovsdb.southbound-impl: OSGi state = Active, Karaf bundleState = GracePeriod, due to: Blueprint

1/4/18 11:32 PM

Missing dependencies:

(objectClass=org.opendaylight.ovsdb.lib.OvsdbConnection) (objectClass=org.opendaylight.controller.md.sal.binding.api.DataBroker)

 

2018-01-04 23:32:59,622 | INFO  | entLoopGroup-4-1 | LoggingHandler                   | 96 - io.netty.common - 4.1.8.Final |
[id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC

EIVED: [id: 0xa753e054, L:/192.168.56.1:6640 - R:/192.168.56.102:44828]

2018-01-04 23:33:07,645 | INFO  | entLoopGroup-4-1 | LoggingHandler                   | 96 - io.netty.common - 4.1.8.Final |
[id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC

EIVED: [id: 0xb41f9441, L:/192.168.56.1:6640 - R:/192.168.56.102:44830]

2018-01-04 23:33:15,663 | INFO  | entLoopGroup-4-1 | LoggingHandler                   | 96 - io.netty.common - 4.1.8.Final |
[id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC

EIVED: [id: 0xcdb6c31c, L:/192.168.56.1:6640 - R:/192.168.56.102:44832]

2018-01-04 23:33:23,679 | INFO  | entLoopGroup-4-1 | LoggingHandler                   | 96 - io.netty.common - 4.1.8.Final |
[id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC

EIVED: [id: 0x5191df60, L:/192.168.56.1:6640 - R:/192.168.56.102:44834]

2018-01-04 23:33:31,694 | INFO  | entLoopGroup-4-1 | LoggingHandler                   | 96 - io.netty.common - 4.1.8.Final |
[id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC

EIVED: [id: 0x9f672ffc, L:/192.168.56.1:6640 - R:/192.168.56.102:44836]

2018-01-04 23:33:39,712 | INFO  | entLoopGroup-4-1 | LoggingHandler                   | 96 - io.netty.common - 4.1.8.Final |
[id: 0xa7da16d2, L:/0:0:0:0:0:0:0:0:6640] REC

 

Any idea about this issue ?

 

Thanks,

Vamsi

 

*From:*Mohamed El-Serngawy [mailto:m.elserngawy@...]
*Sent:* Thursday, January 04, 2018 10:18 PM
*To:* A Vamsikrishna <a.vamsikrishna@... <mailto:a.vamsikrishna@...>>
*Cc:* Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>>; ovsdb-dev@...
<mailto:ovsdb-dev@...>
*Subject:* Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.

 

Hi Vamsikrishna,

 

- As you r using jks files, you need to set <use-mdsal>false<use-mdsal> otherwise ODL will look for the ovs certificate in
Mdsal not the jks file.

 

- also please confirm that you used the RPC in step 9 and you were able to see the certificate back

wiki step 9 : don't forget to change ovs1 to the alias you used when you generate the OVS certificate.

 

curl -X POST -u admin:admin -H "Content-Type: application/json" -H "Cache-Control: no-cache" -d '{

      "aaa-cert-rpc:input": {

        "aaa-cert-rpc:node-alias": "ovs1"

      }

    }'   "http://localhost:8181/restconf/operations/aaa-cert-rpc:getNodeCertifcate"

 

I'm not sure why you used this way to generate the controller certificate, ODL suppose to generate it's own self-sign
certificate OR if you will use CA authority you should sign both OVS and ODL based on certificate request. 

 

BR

 

On Thu, Jan 4, 2018 at 11:28 AM, A Vamsikrishna <a.vamsikrishna@... <mailto:a.vamsikrishna@...>> wrote:

Hi Mohamed & Jamo,

 

Thanks for your response J

 

Also sometimes I see below errors in ODL and OVS logs:

 

D: [id: 0x78b62606, L:/192.168.56.1:6640 <http://192.168.56.1:6640> - R:/192.168.56.102:41618 <http://192.168.56.102:41618>]

-01-03 14:31:42,261 | ERROR | assiveConnServ-3 | OvsdbConnectionService           | 380 - org.opendaylight.ovsdb.library
- 1.6.0.SNAPSHOT | *Ssl handshake fail*. channel [id: 0x78b62606, L:/192.168.56.1:6640 <http://192.168.56.1:6640> !
R:/192.168.56.102:41618 <http://192.168.56.102:41618>]

 

 

stack@ubuntu:/var/log/openvswitch$

stack@ubuntu:/var/log/openvswitch$ tail -5 ovsdb-server.log

2018-01-02T18:20:05.920Z|07252|reconnect|INFO|ssl:192.168.56.1:6640 <http://192.168.56.1:6640>: waiting 8 seconds before
reconnect

2018-01-02T18:20:13.921Z|07253|reconnect|INFO|ssl:192.168.56.1:6640 <http://192.168.56.1:6640>: connecting...

*2018-01-02T18:20:13.928Z|07254|stream_ssl|WARN|SSL_connect: error:14090086:SSL
routines:ssl3_get_server_certificate:certificate verify failed*

2018-01-02T18:20:13.928Z|07255|reconnect|INFO|ssl:192.168.56.1:6640 <http://192.168.56.1:6640>: connection attempt failed
(Protocol error)

2018-01-02T18:20:13.928Z|07256|reconnect|INFO|ssl:192.168.56.1:6640 <http://192.168.56.1:6640>: waiting 8 seconds before
reconnect

stack@ubuntu:/var/log/openvswitch$

stack@ubuntu:/var/log/openvswitch$

 

Please find my answers inline.

 

Regards,

Vamsi

 

*From:*Mohamed El-Serngawy [mailto:m.elserngawy@... <mailto:m.elserngawy@...>]
*Sent:* Thursday, January 04, 2018 8:31 PM
*To:* Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>>
*Cc:* A Vamsikrishna <a.vamsikrishna@... <mailto:a.vamsikrishna@...>>; ovsdb-dev@...
<mailto:ovsdb-dev@...>
*Subject:* Re: [ovsdb-dev] [OVSDB-TLS] Probe failed to OVSDB switch.

 

Hi Vamsikrishna,

 

So you are following the previous wiki to establish OVS TLS communication without any cipher-suites specific (just to be
not confused with ur other emails).

*[Vamsi] Yes*

 

Let's do the troubleshooting:

 

1. in the aaa-cert-config.xml using mdsal (<use-mdsal>true</use-mdsal>) that's mean you are using ODL in cluster mode ?
if yes, so make sure that the aaa-cert data-tree has been configured in the cluster. If not, the recommendation is to
use the jks files for certificates data store in ODL single instance.

*[Vamsi] I am using ODL in non-cluster mode and I have generated jks files by following attached commands (ctl.jks and
truststore.jks) on OVS*

 

2. Did you make sure that the OVS certificate has been stored in ODL ? check step 9 at the wiki.

*[Vamsi] Yes, I have manually copied ctl.jks and truststore.jks to ODL’s /configuration/ssl folder and restarted ODL
using system:shutdown*

 

 

I will try to go through the wiki again in order to reproduce it. Are you using ODL Nitrogen, Master ? let me know

 

*[Vamsi] I am using master.*

* *

* *

 

Thank

 

-----

 

Thanks Jamo

 

 

On Wed, Jan 3, 2018 at 4:32 PM, Jamo Luhrsen <jluhrsen@... <mailto:jluhrsen@...>> wrote:

sending again with Mahamed's gmail address


On 01/03/2018 01:06 PM, Jamo Luhrsen wrote:
> Vamsi,
>
> I've added Mohamed explicitly to this email, as he was the author of the
> wiki page you are referring to.
>
> I've personally never set up ovsdb with TLS, so not sure if it even
> works. It does seem like a gap we have in our CSIT jobs. Hopefully someone
> (maybe me) can find time to add it. It's not out of the realm of possibility
> that it does not work and we need a bug.
>
> Thanks,
> JamO
>
> On 01/01/2018 07:19 AM, A Vamsikrishna wrote:
>> Hi All,
>>
>>  
>>
>> I am following below wiki for OVSDB-TLS communication:
>>
>>  
>>
>> https://wiki.opendaylight.org/view/OVSDB_Integration:TLS_Communication
>>
>>  
>>
>> I am seeing below error in ODL logs:
>>
>>  
>>
>> _remoteIp=IpAddress [_ipv4Address=Ipv4Address [_value=192.168.56.102]], _remotePort=PortNumber [_value=36526], augmentation=[]]
>>
>> 2018-01-01 20:36:43,103 | ERROR | DBConnNotifSer-0 | OvsdbConnectionService           | 380 - org.opendaylight.ovsdb.library
>> - 1.6.0.SNAPSHOT | *Probe failed to OVSDB swit*
>>
>> *ch. Disconnecting the channel ConnectionInfo* [Remote-address=192.168.56.102, Remote-port=36526, Local-address192.168.56.1,
>> Local-port=6640, type=PASSIVE]
>>
>>  
>>
>> And I am not seeing the SSL connection on OVS :
>>
>>  
>>
>> stack@ubuntu:/etc/openvswitch$ sudo ovs-vsctl show
>>
>> 3dfb73ad-1ea2-46ed-b749-ba55a1ee912f
>>
>> *    Manager "ssl:192.168.56.1:6640 <http://192.168.56.1:6640>"*
>>
>>     Bridge br-ex
>>
>>         Controller "ssl:192.168.56.1:6653 <http://192.168.56.1:6653>"
>>
>>        Port br-ex
>>
>>             Interface br-ex
>>
>>                 type: internal
>>
>>     ovs_version: "2.6.1"
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>> stack@ubuntu:/etc/openvswitch$
>>
>>  
>>
>> Can you please help me out in fixing this issue ?
>>
>>  
>>
>> Attaching the config files changed & Please let me know if you need any info to help on this issue.
>>
>>  
>>
>> Thanks,
>>
>> Vamsi
>>
>>
>>
>> _______________________________________________
>> ovsdb-dev mailing list
>> ovsdb-dev@... <mailto:ovsdb-dev@...>
>> https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev
>>

 

 



_______________________________________________
ovsdb-dev mailing list
ovsdb-dev@...
https://lists.opendaylight.org/mailman/listinfo/ovsdb-dev

Join z.archive.ovsdb-dev@lists.opendaylight.org to automatically receive all group messages.