From 2b9cc5f1c4c5b6c85100c64f5ebc7cb15cd83649 Mon Sep 17 00:00:00 2001 From: Ilya Maximets Date: Mon, 9 Dec 2024 17:38:48 +0100 Subject: [PATCH] stream-ssl: Remove use of deprecated SSLv23_method. SSLv23_method() is deprecated since OpenSSL 1.1.0. In practice, it is just renamed into TLS_method(). Use the new name instead. For the python version of the code, we can use PROTOCOL_TLS_CLIENT, since we only support client side of the connection. It turns on the hostname check by default, though. So, we need to turn it off, otherwise we would have to provide the server_hostname for every wrap_socket. We would just use generic PROTOCOL_TLS as we do in C, but unfortunately PROTOCOL_TLS is deprecated since Python 3.10. Acked-by: Eelco Chaudron Signed-off-by: Ilya Maximets --- lib/stream-ssl.c | 19 ++++++------------- python/ovs/stream.py | 5 +++-- 2 files changed, 9 insertions(+), 15 deletions(-) diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index 56a31c397..516ba4b03 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -1005,8 +1005,6 @@ ssl_init(void) static int do_ssl_init(void) { - SSL_METHOD *method; - if (!RAND_status()) { /* We occasionally see OpenSSL fail to seed its random number generator * in heavily loaded hypervisors. I suspect the following scenario: @@ -1037,19 +1035,14 @@ do_ssl_init(void) RAND_seed(seed, sizeof seed); } - /* OpenSSL has a bunch of "connection methods": SSLv2_method(), - * SSLv3_method(), TLSv1_method(), SSLv23_method(), ... Most of these - * support exactly one version of SSL/TLS, e.g. TLSv1_method() supports - * TLSv1 only, not any earlier *or later* version. The only exception is - * SSLv23_method(), which in fact supports *any* version of SSL and TLS. - * We don't want SSLv2 or SSLv3 support, so we turn it off below with - * SSL_CTX_set_options(). + /* Using version-flexible "connection method". Allowed versions will + * be restricted below. * - * The cast is needed to avoid a warning with newer versions of OpenSSL in - * which SSLv23_method() returns a "const" pointer. */ - method = CONST_CAST(SSL_METHOD *, SSLv23_method()); + * The context can be used for both client and server connections, so + * not using specific TLS_server_method() or TLS_client_method() here. */ + const SSL_METHOD *method = TLS_method(); if (method == NULL) { - VLOG_ERR("TLSv1_method: %s", ERR_error_string(ERR_get_error(), NULL)); + VLOG_ERR("TLS_method: %s", ERR_error_string(ERR_get_error(), NULL)); return ENOPROTOOPT; } diff --git a/python/ovs/stream.py b/python/ovs/stream.py index 5578b7a6b..ac582c3c5 100644 --- a/python/ovs/stream.py +++ b/python/ovs/stream.py @@ -790,9 +790,10 @@ class SSLStream(Stream): if sock is None: return family, sock - # Create an SSL context - ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) + # Create an SSL context. + ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) ctx.verify_mode = ssl.CERT_REQUIRED + ctx.check_hostname = False ctx.options |= ssl.OP_NO_SSLv2 ctx.options |= ssl.OP_NO_SSLv3 ctx.options |= ssl.OP_NO_TLSv1