mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-22 18:07:40 +00:00
Code Issues Releases Wiki Activity

stream-ssl: Remove use of deprecated SSLv23_method.

Browse Source 
SSLv23_method() is deprecated since OpenSSL 1.1.0.  In practice, it is
just renamed into TLS_method().  Use the new name instead.

For the python version of the code, we can use PROTOCOL_TLS_CLIENT,
since we only support client side of the connection.  It turns on
the hostname check by default, though.  So, we need to turn it off,
otherwise we would have to provide the server_hostname for every
wrap_socket.  We would just use generic PROTOCOL_TLS as we do in C,
but unfortunately PROTOCOL_TLS is deprecated since Python 3.10.

Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
This commit is contained in:
Ilya Maximets 2024-12-09 17:38:48 +01:00
parent 57d58b7999
commit 2b9cc5f1c4
2 changed files with 9 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
lib/stream-ssl.c
View File

@ -1005,8 +1005,6 @@ ssl_init(void)
static int static int
do_ssl_init(void) do_ssl_init(void)
{ {
SSL_METHOD *method;
if (!RAND_status()) { if (!RAND_status()) {
/* We occasionally see OpenSSL fail to seed its random number generator /* We occasionally see OpenSSL fail to seed its random number generator
* in heavily loaded hypervisors. I suspect the following scenario: * in heavily loaded hypervisors. I suspect the following scenario:
@ -1037,19 +1035,14 @@ do_ssl_init(void)
RAND_seed(seed, sizeof seed); RAND_seed(seed, sizeof seed);
} }
/* OpenSSL has a bunch of "connection methods": SSLv2_method(), /* Using version-flexible "connection method". Allowed versions will
* SSLv3_method(), TLSv1_method(), SSLv23_method(), ... Most of these * be restricted below.
* support exactly one version of SSL/TLS, e.g. TLSv1_method() supports
* TLSv1 only, not any earlier *or later* version. The only exception is
* SSLv23_method(), which in fact supports *any* version of SSL and TLS.
* We don't want SSLv2 or SSLv3 support, so we turn it off below with
* SSL_CTX_set_options().
* *
* The cast is needed to avoid a warning with newer versions of OpenSSL in * The context can be used for both client and server connections, so
* which SSLv23_method() returns a "const" pointer. */ * not using specific TLS_server_method() or TLS_client_method() here. */
method = CONST_CAST(SSL_METHOD *, SSLv23_method()); const SSL_METHOD *method = TLS_method();
if (method == NULL) { if (method == NULL) {
VLOG_ERR("TLSv1_method: %s", ERR_error_string(ERR_get_error(), NULL)); VLOG_ERR("TLS_method: %s", ERR_error_string(ERR_get_error(), NULL));
return ENOPROTOOPT; return ENOPROTOOPT;
} }

5
python/ovs/stream.py
View File

@ -790,9 +790,10 @@ class SSLStream(Stream):
if sock is None: if sock is None:
return family, sock return family, sock
# Create an SSL context # Create an SSL context.
ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23) ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
ctx.verify_mode = ssl.CERT_REQUIRED ctx.verify_mode = ssl.CERT_REQUIRED
ctx.check_hostname = False
ctx.options |= ssl.OP_NO_SSLv2 ctx.options |= ssl.OP_NO_SSLv2
ctx.options |= ssl.OP_NO_SSLv3 ctx.options |= ssl.OP_NO_SSLv3
ctx.options |= ssl.OP_NO_TLSv1 ctx.options |= ssl.OP_NO_TLSv1