From 3131588e1e1dd799b664df4a1932208d7b1cd10b Mon Sep 17 00:00:00 2001 From: Ilya Maximets Date: Mon, 9 Dec 2024 17:38:50 +0100 Subject: [PATCH] python: Require Python 3.7 for ssl.TLSVersion. All the ssl.OP_NO_* options are deprecated since OpenSSL 1.1.0. Use minimum/maximum_version configuration instead. Unfortunately, those only available in Python 3.7, so increasing the minimal supported Python version. Python 3.7+ should be available in most modern distributions. It is also EoL at this point, but there is no need to require higher versions. Acked-by: Eelco Chaudron Signed-off-by: Ilya Maximets --- Documentation/intro/install/general.rst | 4 ++-- Documentation/intro/install/rhel.rst | 2 +- Documentation/intro/install/windows.rst | 2 +- NEWS | 1 + m4/openvswitch.m4 | 10 +++++----- python/ovs/stream.py | 7 +++---- python/setup.py.template | 2 +- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/Documentation/intro/install/general.rst b/Documentation/intro/install/general.rst index c93381a8b..42b717289 100644 --- a/Documentation/intro/install/general.rst +++ b/Documentation/intro/install/general.rst @@ -90,7 +90,7 @@ need the following software: If libcap-ng is installed, then Open vSwitch will automatically build with support for it. -- Python 3.6 or later. +- Python 3.7 or later. - Unbound library, from http://www.unbound.net, is optional but recommended if you want to enable ovs-vswitchd and other utilities to use DNS names when @@ -202,7 +202,7 @@ simply install and run Open vSwitch you require the following software: from iproute2 (part of all major distributions and available at https://wiki.linuxfoundation.org/networking/iproute2). -- Python 3.6 or later. +- Python 3.7 or later. On Linux you should ensure that ``/dev/urandom`` exists. To support TAP devices, you must also ensure that ``/dev/net/tun`` exists. diff --git a/Documentation/intro/install/rhel.rst b/Documentation/intro/install/rhel.rst index 36ab1341c..a5d8d827e 100644 --- a/Documentation/intro/install/rhel.rst +++ b/Documentation/intro/install/rhel.rst @@ -92,7 +92,7 @@ Once that is completed, remove the file ``/tmp/ovs.spec``. If python3-sphinx package is not available in your version of RHEL, you can install it via pip with 'pip install sphinx'. -Open vSwitch requires python 3.6 or newer which is not available in older +Open vSwitch requires python 3.7 or newer which is not available in older distributions. For those, one option is to build and install required version from source. diff --git a/Documentation/intro/install/windows.rst b/Documentation/intro/install/windows.rst index c99cae718..12e377941 100644 --- a/Documentation/intro/install/windows.rst +++ b/Documentation/intro/install/windows.rst @@ -56,7 +56,7 @@ The following explains the steps in some detail. 'C:/MinGW /mingw'. -- Python 3.6 or later. +- Python 3.7 or later. Install the latest Python 3.x from python.org and verify that its path is part of Windows' PATH environment variable. diff --git a/NEWS b/NEWS index 6ff080547..863d8e7a3 100644 --- a/NEWS +++ b/NEWS @@ -33,6 +33,7 @@ Post-v3.4.0 * Added tool called "ovs-flowviz" capable of parsing OpenFlow and datapath flow dumps and displaying them in several different formats. + * Dropped support for Python < 3.7. - DPDK: * OVS validated with DPDK 23.11.2. * Add hardware offload support for matching ICMPv6 protocol diff --git a/m4/openvswitch.m4 b/m4/openvswitch.m4 index b226c851b..6d41ffc44 100644 --- a/m4/openvswitch.m4 +++ b/m4/openvswitch.m4 @@ -359,22 +359,22 @@ dnl Checks for valgrind/valgrind.h. AC_DEFUN([OVS_CHECK_VALGRIND], [AC_CHECK_HEADERS([valgrind/valgrind.h])]) -dnl Checks for Python 3.6 or later. +dnl Checks for Python 3.7 or later. AC_DEFUN([OVS_CHECK_PYTHON3], [AC_CACHE_CHECK( - [for Python 3 (version 3.6 or later)], + [for Python 3 (version 3.7 or later)], [ovs_cv_python3], [if test -n "$PYTHON3"; then ovs_cv_python3=$PYTHON3 else ovs_cv_python3=no - for binary in python3 python3.6 python3.7 python3.8 python3.9 python3.10 python3.11 python3.12; do + for binary in python3 python3.7 python3.8 python3.9 python3.10 python3.11 python3.12 python3.13; do ovs_save_IFS=$IFS; IFS=$PATH_SEPARATOR for dir in $PATH; do IFS=$ovs_save_IFS test -z "$dir" && dir=. if test -x "$dir"/"$binary" && "$dir"/"$binary" -c 'import sys -if sys.hexversion >= 0x03060000 and sys.hexversion < 0x04000000: +if sys.hexversion >= 0x03070000 and sys.hexversion < 0x04000000: sys.exit(0) else: sys.exit(1)'; then @@ -385,7 +385,7 @@ else: done fi]) if test "$ovs_cv_python3" = no; then - AC_MSG_ERROR([Python 3.6 or later is required but not found in $PATH, please install it or set $PYTHON3 to point to it]) + AC_MSG_ERROR([Python 3.7 or later is required but not found in $PATH, please install it or set $PYTHON3 to point to it]) fi AC_ARG_VAR([PYTHON3]) PYTHON3=$ovs_cv_python3]) diff --git a/python/ovs/stream.py b/python/ovs/stream.py index ac582c3c5..2282905ed 100644 --- a/python/ovs/stream.py +++ b/python/ovs/stream.py @@ -794,10 +794,9 @@ class SSLStream(Stream): ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) ctx.verify_mode = ssl.CERT_REQUIRED ctx.check_hostname = False - ctx.options |= ssl.OP_NO_SSLv2 - ctx.options |= ssl.OP_NO_SSLv3 - ctx.options |= ssl.OP_NO_TLSv1 - ctx.options |= ssl.OP_NO_TLSv1_1 + # Only allow TLSv1.2 or later. + ctx.minimum_version = ssl.TLSVersion.TLSv1_2 + ctx.maximum_version = ssl.TLSVersion.MAXIMUM_SUPPORTED # If the client has not set the SSL/TLS configuration files # exception would be raised. ctx.load_verify_locations(Stream._SSL_ca_cert_file) diff --git a/python/setup.py.template b/python/setup.py.template index b134694f1..abd5e57b9 100644 --- a/python/setup.py.template +++ b/python/setup.py.template @@ -93,7 +93,7 @@ setup_args = dict( 'Topic :: System :: Networking', 'License :: OSI Approved :: Apache Software License', 'Programming Language :: Python :: 3', - 'Programming Language :: Python :: 3.6', + 'Programming Language :: Python :: 3.7', ], ext_modules=[setuptools.Extension("ovs._json", sources=["ovs/_json.c"],