ovs/lib/ssl-connect.man

.IP "\fB\-\-ssl\-protocols=\fIprotocols\fR"
Specifies a range or a comma- or space-delimited list of the SSL/TLS protocols
\fB\*(PN\fR will enable for SSL/TLS connections.  Supported \fIprotocols\fR
include \fBTLSv1.2\fR and \fBTLSv1.3\fR.
Ranges can be provided in a form of two protocol names separated with a dash,
or as a single protocol name with a plus sign.  For example, use
\fBTLSv1.2-TLSv1.3\fR to allow \fBTLSv1.2\fR and \fBTLSv1.3\fR.  Use
\fBTLSv1.2+\fR to allow \fBTLSv1.2\fR and any later protocol.
The option accepts a list of protocols or exactly one range.  The
range is a preferred way of specifying protocols and the option always behaves
as if the range between the minimum and the maximum specified version is
provided, i.e., if the option is set to \fBTLSv1.X,TLSv1.(X+2)\fR, the
\fBTLSv1.(X+1)\fR will also be enabled as if it was a range.
Regardless of order, the highest protocol supported by both sides will
be chosen when making the connection.  The default when this option is
omitted is \fBTLSv1.2\fR or later.
.
.IP "\fB\-\-ssl\-ciphers=\fIciphers\fR"
Specifies, in OpenSSL cipher string format, the ciphers \fB\*(PN\fR will
support for SSL/TLS connections with TLSv1.2.
The default when this option is omitted is \fBDEFAULT:@SECLEVEL=2\fR.
.
.IP "\fB\-\-ssl\-ciphersuites=\fIciphersuites\fR"
Specifies, in OpenSSL ciphersuite string format, the ciphersuites
\fB\*(PN\fR will support for SSL/TLS connections with TLSv1.3 and later.
Default value from OpenSSL will be used when this option is omitted.
Add support for specifying SSL connection parameters to ovsdb Signed-off-by: Ethan Rahn <erahn@arista.com> Signed-off-by: Ben Pfaff <blp@ovn.org> 2016-10-06 16:21:33 -07:00			`.IP "\fB\-\-ssl\-protocols=\fIprotocols\fR"`
stream-ssl: Support protocol ranges. The NO options are deprecated since OpenSSL 1.1.0: * SSL_OP_NO_SSLv3 * SSL_OP_NO_TLSv1 * SSL_OP_NO_TLSv1_1 * SSL_OP_NO_TLSv1_2 SSL_CTX_set_min/max_proto_version API should be used instead. Change the "ssl-protocols" configuration option to parse values and enable ranges with this new API instead. This means that we'll start enabling protocols that may not be enabled by the user, e.g. --ssl-protocols="TLSv1,TLSv1.2" will now enable TLSv1.1 as well. But it's probably not a big deal, and there will be no way to turn off one protocol in the middle in the future anyway, since the OpenSSL API required to do so is deprecated. And such configurations are very unlikely to be used in practice. At least, that was one of the reasons for OpenSSL to change the API in the first place. While at it, allow users to configure simple ranges, instead of lists. For example, OVS will now allow values like "TLSv1-TLSv1.2" to enable all versions between TLSv1 and TLSv1.2, or "TLSv1.1+" to allow TLSv1.1 or any later version. The option still accepts a list of protocols or exactly one range. Acked-by: Eelco Chaudron <echaudro@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org> 2024-12-09 17:38:47 +01:00			`Specifies a range or a comma- or space-delimited list of the SSL/TLS protocols`
stream-ssl: Remove support for deprecated TLSv1 and TLSv1.1. TLSv1 and TLSv1.1 are officially deprecated by RFC 8996 since March of 2021: https://datatracker.ietf.org/doc/rfc8996/ Both protocols should not generally be used (RFC says MUST NOT) and are being actively removed from support by major distributions and libraries. They were deprecated and disabled by default in OVS 3.5 with the following commit: 923a80d1d163 ("stream-ssl: Deprecate and disable TLSv1 and TLSv1.1.") It's time to fully remove the support for these protocols. Some infrastructure and parts of the documentation look a little awkward since we're only supporting 2 versions of TLS now, so I tried to re-word the text a little. But I kept the code intact so we can easily add new versions when they appear or deprecate TLSv1.2 when the time comes, even though it may not be soon. Acked-by: Eelco Chaudron <echaudro@redhat.com> Acked-by: Kevin Traynor <ktraynor@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org> 2025-02-24 22:26:24 +01:00			`\fB\*(PN\fR will enable for SSL/TLS connections. Supported \fIprotocols\fR`
			`include \fBTLSv1.2\fR and \fBTLSv1.3\fR.`
			`Ranges can be provided in a form of two protocol names separated with a dash,`
			`or as a single protocol name with a plus sign. For example, use`
			`\fBTLSv1.2-TLSv1.3\fR to allow \fBTLSv1.2\fR and \fBTLSv1.3\fR. Use`
			`\fBTLSv1.2+\fR to allow \fBTLSv1.2\fR and any later protocol.`
			`The option accepts a list of protocols or exactly one range. The`
			`range is a preferred way of specifying protocols and the option always behaves`
			`as if the range between the minimum and the maximum specified version is`
			`provided, i.e., if the option is set to \fBTLSv1.X,TLSv1.(X+2)\fR, the`
			`\fBTLSv1.(X+1)\fR will also be enabled as if it was a range.`
Add support for specifying SSL connection parameters to ovsdb Signed-off-by: Ethan Rahn <erahn@arista.com> Signed-off-by: Ben Pfaff <blp@ovn.org> 2016-10-06 16:21:33 -07:00			`Regardless of order, the highest protocol supported by both sides will`
			`be chosen when making the connection. The default when this option is`
stream-ssl: Deprecate and disable TLSv1 and TLSv1.1. TLSv1 and TLSv1.1 are officially deprecated by RFC 8996 since March of 2021: https://datatracker.ietf.org/doc/rfc8996/ Both protocols should not generally be used (RFC says MUST NOT) and are being actively removed from support by major distributions and libraries. Deprecate these protocols in OVS and turn them off by default. Ability to use them preserved for now with a warning. We'll fully remove support in OVS 3.6. Before this change, OVS would use TLSv1 or later, if the protocols are not specified in the database or command line (this includes TLSv1.3 that is not supported explicitly). After the change, this becomes TLSv1.2 or later. Python library only supports client side of SSL/TLS and doesn't support configuring protocols. So, just turning off TLSv1 and TLSv1.1. Meaning, new python clients will not be able to connect to servers that only have TLSv1.1 or lower. This is a strange configuration for a modern server and can be fixed by allowing the server to use newer protocols. So, there might not be a real need in making client side configurable. If the server is so old that it doesn't support TLSv1.2, it may be a time to update it. Acked-by: Eelco Chaudron <echaudro@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org> 2024-12-09 17:38:44 +01:00			`omitted is \fBTLSv1.2\fR or later.`
Add support for specifying SSL connection parameters to ovsdb Signed-off-by: Ethan Rahn <erahn@arista.com> Signed-off-by: Ben Pfaff <blp@ovn.org> 2016-10-06 16:21:33 -07:00			`.`
			`.IP "\fB\-\-ssl\-ciphers=\fIciphers\fR"`
stream-ssl: Add explicit support for configuring TLSv1.3. TLSv1.3 is currently only supported implicitly, if the --ssl-protocols are not provided. Or with the recent range support like "TLSv1.2+". However, it is not possible to explicitly ask for TLSv1.3 or set a custom list of ciphersuites for it. Fix that by adding TLSv1.3 to the list of available protocols and adding a new --ssl-ciphersuites option. The new option is necessary, because --ssl-ciphers translates into SSL_CTX_set_cipher_list() that configures ciphers for TLSv1.2 and earlier. SSL_CTX_set_ciphersuites() sets ciphersuites for TLSv1.3 and later. Tests updated to exercise new options and to reduce the use of deprecated TLSv1 and TLSv1.1. TLSv1.3 support was introduced in OpenSSL 1.1.1. Acked-by: Eelco Chaudron <echaudro@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org> 2024-12-09 17:38:53 +01:00			`Specifies, in OpenSSL cipher string format, the ciphers \fB\*(PN\fR will`
stream-ssl: Remove support for deprecated TLSv1 and TLSv1.1. TLSv1 and TLSv1.1 are officially deprecated by RFC 8996 since March of 2021: https://datatracker.ietf.org/doc/rfc8996/ Both protocols should not generally be used (RFC says MUST NOT) and are being actively removed from support by major distributions and libraries. They were deprecated and disabled by default in OVS 3.5 with the following commit: 923a80d1d163 ("stream-ssl: Deprecate and disable TLSv1 and TLSv1.1.") It's time to fully remove the support for these protocols. Some infrastructure and parts of the documentation look a little awkward since we're only supporting 2 versions of TLS now, so I tried to re-word the text a little. But I kept the code intact so we can easily add new versions when they appear or deprecate TLSv1.2 when the time comes, even though it may not be soon. Acked-by: Eelco Chaudron <echaudro@redhat.com> Acked-by: Kevin Traynor <ktraynor@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org> 2025-02-24 22:26:24 +01:00			`support for SSL/TLS connections with TLSv1.2.`
			`The default when this option is omitted is \fBDEFAULT:@SECLEVEL=2\fR.`
stream-ssl: Add explicit support for configuring TLSv1.3. TLSv1.3 is currently only supported implicitly, if the --ssl-protocols are not provided. Or with the recent range support like "TLSv1.2+". However, it is not possible to explicitly ask for TLSv1.3 or set a custom list of ciphersuites for it. Fix that by adding TLSv1.3 to the list of available protocols and adding a new --ssl-ciphersuites option. The new option is necessary, because --ssl-ciphers translates into SSL_CTX_set_cipher_list() that configures ciphers for TLSv1.2 and earlier. SSL_CTX_set_ciphersuites() sets ciphersuites for TLSv1.3 and later. Tests updated to exercise new options and to reduce the use of deprecated TLSv1 and TLSv1.1. TLSv1.3 support was introduced in OpenSSL 1.1.1. Acked-by: Eelco Chaudron <echaudro@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org> 2024-12-09 17:38:53 +01:00			`.`
			`.IP "\fB\-\-ssl\-ciphersuites=\fIciphersuites\fR"`
			`Specifies, in OpenSSL ciphersuite string format, the ciphersuites`
			`\fB\*(PN\fR will support for SSL/TLS connections with TLSv1.3 and later.`
			`Default value from OpenSSL will be used when this option is omitted.`