projects / mirror_ovs.git / blame
| Commit | Line | Data |
|---|---|---|
| cfdaff25 GS |
1 | <?xml version="1.0" encoding="utf-8"?> |
| 2 | <dl> | |
| 3 | <dt><code>--bootstrap-ca-cert=</code><var>cacert.pem</var></dt> | |
| 4 | <dd> | |
| 5 | <p> | |
| 6 | When <var>cacert.pem</var> exists, this option has the same effect | |
| 7 | as <code>-C</code> or <code>--ca-cert</code>. If it does not exist, | |
| 8 | then the executable will attempt to obtain the CA certificate from the | |
| 9 | SSL peer on its first SSL connection and save it to the named PEM | |
| 10 | file. If it is successful, it will immediately drop the connection | |
| 11 | and reconnect, and from then on all SSL connections must be | |
| 12 | authenticated by a certificate signed by the CA certificate thus | |
| 13 | obtained. | |
| 14 | </p> | |
| 15 | <p> | |
| 16 | This option exposes the SSL connection to a man-in-the-middle | |
| 17 | attack obtaining the initial CA certificate, but it may be useful | |
| 18 | for bootstrapping. | |
| 19 | </p> | |
| 20 | <p> | |
| 21 | This option is only useful if the SSL peer sends its CA certificate as | |
| 22 | part of the SSL certificate chain. The SSL protocol does not require | |
| 23 | the server to send the CA certificate. | |
| 24 | </p> | |
| 25 | <p> | |
| 26 | This option is mutually exclusive with <code>-C</code> and | |
| 27 | <code>--ca-cert</code>. | |
| 28 | </p> | |
| 29 | </dd> | |
| 30 | </dl> |