Transport Layer Security (TLS) is used to secure the connection between OpenFlow controllers and the switch. Mutual authentication is provided by X.509 certificates, which are issued by a hierarchical system of certificate authorities (CAs). The system of certificates and CAs, and the people, policies, and procedures to distribute them is known as a Public Key Infrastructure (PKI).
The switch and controller may communicate through either a secure TLS connection or through an insecure Transmission Control Protocol (TCP) connection. If TLS is configured, the switch and controller must mutually authenticate by exchanging certificates.
Note
Secure Socket Layer (SSL) and TLS are sometimes used interchangeably, but TLS is a more secure successor of SSL. SSL has been around for a while, and all versions are now considered insecure; therefore, no versions of SSL are allowed.Note
Switches cannot generate self-signed certificates. The switch's certificate must be generated and signed by the PKI host.Note
Open vSwitch "bootstrap" mode is not supported. The controller's CA certificate must be manually copied to the switch.TLS 1.0, 1.1, and 1.2 are supported.