2011-05-10 09:17:37 -07:00
|
|
|
|
/*
|
2016-10-06 16:21:33 -07:00
|
|
|
|
* Copyright (c) 2011, 2016 Nicira, Inc.
|
2011-05-10 09:17:37 -07:00
|
|
|
|
*
|
|
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
|
|
* You may obtain a copy of the License at:
|
|
|
|
|
|
*
|
|
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
*
|
|
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
|
|
* limitations under the License.
|
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
|
|
#include "stream-ssl.h"
|
2014-12-15 14:10:38 +01:00
|
|
|
|
#include "openvswitch/vlog.h"
|
2011-05-10 09:17:37 -07:00
|
|
|
|
|
|
|
|
|
|
VLOG_DEFINE_THIS_MODULE(stream_nossl);
|
|
|
|
|
|
�
|
|
|
|
|
|
/* Dummy function definitions, used when OVS is built without OpenSSL. */
|
|
|
|
|
|
|
|
|
|
|
|
bool
|
|
|
|
|
|
stream_ssl_is_configured(void)
|
|
|
|
|
|
{
|
|
|
|
|
|
return false;
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2014-12-15 14:10:38 +01:00
|
|
|
|
OVS_NO_RETURN static void
|
2011-05-10 09:17:37 -07:00
|
|
|
|
nossl_option(const char *detail)
|
|
|
|
|
|
{
|
treewide: Refer to SSL configuration as SSL/TLS.
SSL protocol family is not actually being used or supported in OVS.
What we use is actually TLS.
Terms "SSL" and "TLS" are often used interchangeably in modern
software and refer to the same thing, which is normally just TLS.
Let's replace "SSL" with "SSL/TLS" in documentation and user-visible
messages, where it makes sense. This may make it more clear what
is meant for a less experienced user that may look for TLS support
in OVS and not find much.
We're not changing any actual code, because, for example, most of
OpenSSL APIs are using just SSL, for historical reasons. And our
database is using "SSL" table. We may consider migrating to "TLS"
naming for user-visible configuration like command line arguments
and database names, but that will require extra work on making sure
upgrades can still work. In general, a slightly more clear
documentation should be enough for now, especially since term SSL
is still widely used in the industry.
"SSL/TLS" is chosen over "TLS/SSL" simply because our user-visible
configuration knobs are using "SSL" naming, e.g. '--ssl-cyphers'
or 'ovs-vsctl set-ssl'. So, it might be less confusing this way.
We may switch that, if we decide on re-working the user-visible
commands towards "TLS" naming, or providing both alternatives.
Some other projects did similar changes. For example, the python ssl
library is now using "TLS/SSL" in the documentation whenever possible.
Same goes for OpenSSL itself.
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-12-09 17:38:45 +01:00
|
|
|
|
VLOG_FATAL(
|
|
|
|
|
|
"%s specified but Open vSwitch was built without SSL/TLS support",
|
|
|
|
|
|
detail);
|
2011-05-10 09:17:37 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
|
stream_ssl_set_private_key_file(const char *file_name)
|
|
|
|
|
|
{
|
|
|
|
|
|
if (file_name != NULL) {
|
|
|
|
|
|
nossl_option("Private key");
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
|
stream_ssl_set_certificate_file(const char *file_name)
|
|
|
|
|
|
{
|
|
|
|
|
|
if (file_name != NULL) {
|
|
|
|
|
|
nossl_option("Certificate");
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
|
stream_ssl_set_ca_cert_file(const char *file_name, bool bootstrap OVS_UNUSED)
|
|
|
|
|
|
{
|
|
|
|
|
|
if (file_name != NULL) {
|
|
|
|
|
|
nossl_option("CA certificate");
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
|
stream_ssl_set_peer_ca_cert_file(const char *file_name)
|
|
|
|
|
|
{
|
|
|
|
|
|
if (file_name != NULL) {
|
|
|
|
|
|
nossl_option("Peer CA certificate");
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
|
stream_ssl_set_key_and_cert(const char *private_key_file,
|
|
|
|
|
|
const char *certificate_file)
|
|
|
|
|
|
{
|
|
|
|
|
|
stream_ssl_set_private_key_file(private_key_file);
|
|
|
|
|
|
stream_ssl_set_certificate_file(certificate_file);
|
|
|
|
|
|
}
|
2016-10-06 16:21:33 -07:00
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
|
stream_ssl_set_protocols(const char *arg OVS_UNUSED)
|
|
|
|
|
|
{
|
treewide: Refer to SSL configuration as SSL/TLS.
SSL protocol family is not actually being used or supported in OVS.
What we use is actually TLS.
Terms "SSL" and "TLS" are often used interchangeably in modern
software and refer to the same thing, which is normally just TLS.
Let's replace "SSL" with "SSL/TLS" in documentation and user-visible
messages, where it makes sense. This may make it more clear what
is meant for a less experienced user that may look for TLS support
in OVS and not find much.
We're not changing any actual code, because, for example, most of
OpenSSL APIs are using just SSL, for historical reasons. And our
database is using "SSL" table. We may consider migrating to "TLS"
naming for user-visible configuration like command line arguments
and database names, but that will require extra work on making sure
upgrades can still work. In general, a slightly more clear
documentation should be enough for now, especially since term SSL
is still widely used in the industry.
"SSL/TLS" is chosen over "TLS/SSL" simply because our user-visible
configuration knobs are using "SSL" naming, e.g. '--ssl-cyphers'
or 'ovs-vsctl set-ssl'. So, it might be less confusing this way.
We may switch that, if we decide on re-working the user-visible
commands towards "TLS" naming, or providing both alternatives.
Some other projects did similar changes. For example, the python ssl
library is now using "TLS/SSL" in the documentation whenever possible.
Same goes for OpenSSL itself.
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-12-09 17:38:45 +01:00
|
|
|
|
/* Ignore this option since it seems harmless to set SSL/TLS protocols if
|
|
|
|
|
|
* SSL/TLS won't be used. */
|
2016-10-06 16:21:33 -07:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
|
stream_ssl_set_ciphers(const char *arg OVS_UNUSED)
|
|
|
|
|
|
{
|
treewide: Refer to SSL configuration as SSL/TLS.
SSL protocol family is not actually being used or supported in OVS.
What we use is actually TLS.
Terms "SSL" and "TLS" are often used interchangeably in modern
software and refer to the same thing, which is normally just TLS.
Let's replace "SSL" with "SSL/TLS" in documentation and user-visible
messages, where it makes sense. This may make it more clear what
is meant for a less experienced user that may look for TLS support
in OVS and not find much.
We're not changing any actual code, because, for example, most of
OpenSSL APIs are using just SSL, for historical reasons. And our
database is using "SSL" table. We may consider migrating to "TLS"
naming for user-visible configuration like command line arguments
and database names, but that will require extra work on making sure
upgrades can still work. In general, a slightly more clear
documentation should be enough for now, especially since term SSL
is still widely used in the industry.
"SSL/TLS" is chosen over "TLS/SSL" simply because our user-visible
configuration knobs are using "SSL" naming, e.g. '--ssl-cyphers'
or 'ovs-vsctl set-ssl'. So, it might be less confusing this way.
We may switch that, if we decide on re-working the user-visible
commands towards "TLS" naming, or providing both alternatives.
Some other projects did similar changes. For example, the python ssl
library is now using "TLS/SSL" in the documentation whenever possible.
Same goes for OpenSSL itself.
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-12-09 17:38:45 +01:00
|
|
|
|
/* Ignore this option since it seems harmless to set SSL/TLS ciphers if
|
|
|
|
|
|
* SSL/TLS won't be used. */
|
2016-10-06 16:21:33 -07:00
|
|
|
|
}
|
2024-12-09 17:38:53 +01:00
|
|
|
|
|
|
|
|
|
|
void
|
|
|
|
|
|
stream_ssl_set_ciphersuites(const char *arg OVS_UNUSED)
|
|
|
|
|
|
{
|
|
|
|
|
|
/* Ignore this option since it seems harmless to set TLS ciphersuites if
|
|
|
|
|
|
* SSL/TLS won't be used. */
|
|
|
|
|
|
}
|
