stream-ssl: Remove use of deprecated SSLv23_method.

SSLv23_method() is deprecated since OpenSSL 1.1.0. In practice, it is just renamed into TLS_method(). Use the new name instead. For the python version of the code, we can use PROTOCOL_TLS_CLIENT, since we only support client side of the connection. It turns on the hostname check by default, though. So, we need to turn it off, otherwise we would have to provide the server_hostname for every wrap_socket. We would just use generic PROTOCOL_TLS as we do in C, but unfortunately PROTOCOL_TLS is deprecated since Python 3.10. Acked-by: Eelco Chaudron <echaudro@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2025-08-22 09:58:01 +00:00 · 2024-12-09 17:38:48 +01:00 · 2024-12-09 17:38:48 +01:00 · 2b9cc5f1c4
commit 2b9cc5f1c4
parent 57d58b7999
2 changed files with 9 additions and 15 deletions
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@ -1005,8 +1005,6 @@ ssl_init(void)
 static int
 do_ssl_init(void)
 {
-    SSL_METHOD *method;
-
    if (!RAND_status()) {
        /* We occasionally see OpenSSL fail to seed its random number generator
         * in heavily loaded hypervisors.  I suspect the following scenario:
@ -1037,19 +1035,14 @@ do_ssl_init(void)
        RAND_seed(seed, sizeof seed);
    }

-    /* OpenSSL has a bunch of "connection methods": SSLv2_method(),
-     * SSLv3_method(), TLSv1_method(), SSLv23_method(), ...  Most of these
-     * support exactly one version of SSL/TLS, e.g. TLSv1_method() supports
-     * TLSv1 only, not any earlier *or later* version.  The only exception is
-     * SSLv23_method(), which in fact supports *any* version of SSL and TLS.
-     * We don't want SSLv2 or SSLv3 support, so we turn it off below with
-     * SSL_CTX_set_options().
+    /* Using version-flexible "connection method".  Allowed versions will
+     * be restricted below.
     *
-     * The cast is needed to avoid a warning with newer versions of OpenSSL in
-     * which SSLv23_method() returns a "const" pointer. */
-    method = CONST_CAST(SSL_METHOD *, SSLv23_method());
+     * The context can be used for both client and server connections, so
+     * not using specific TLS_server_method() or TLS_client_method() here. */
+    const SSL_METHOD *method = TLS_method();
    if (method == NULL) {
-        VLOG_ERR("TLSv1_method: %s", ERR_error_string(ERR_get_error(), NULL));
+        VLOG_ERR("TLS_method: %s", ERR_error_string(ERR_get_error(), NULL));
        return ENOPROTOOPT;
    }

--- a/python/ovs/stream.py
+++ b/python/ovs/stream.py
@ -790,9 +790,10 @@ class SSLStream(Stream):
        if sock is None:
            return family, sock

-        # Create an SSL context
-        ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+        # Create an SSL context.
+        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
        ctx.verify_mode = ssl.CERT_REQUIRED
+        ctx.check_hostname = False
        ctx.options |= ssl.OP_NO_SSLv2
        ctx.options |= ssl.OP_NO_SSLv3
        ctx.options |= ssl.OP_NO_TLSv1