python: Require Python 3.7 for ssl.TLSVersion.

All the ssl.OP_NO_* options are deprecated since OpenSSL 1.1.0. Use minimum/maximum_version configuration instead. Unfortunately, those only available in Python 3.7, so increasing the minimal supported Python version. Python 3.7+ should be available in most modern distributions. It is also EoL at this point, but there is no need to require higher versions. Acked-by: Eelco Chaudron <echaudro@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2025-08-22 01:51:26 +00:00 · 2024-12-09 17:38:50 +01:00 · 2024-12-09 17:38:50 +01:00 · 3131588e1e
commit 3131588e1e
parent e70670addc
7 changed files with 14 additions and 14 deletions
--- a/Documentation/intro/install/general.rst
+++ b/Documentation/intro/install/general.rst
@ -90,7 +90,7 @@ need the following software:
  If libcap-ng is installed, then Open vSwitch will automatically build with
  support for it.

- Python 3.6 or later.
+- Python 3.7 or later.

 - Unbound library, from http://www.unbound.net, is optional but recommended if
  you want to enable ovs-vswitchd and other utilities to use DNS names when
@ -202,7 +202,7 @@ simply install and run Open vSwitch you require the following software:
  from iproute2 (part of all major distributions and available at
  https://wiki.linuxfoundation.org/networking/iproute2).

- Python 3.6 or later.
+- Python 3.7 or later.

 On Linux you should ensure that ``/dev/urandom`` exists. To support TAP
 devices, you must also ensure that ``/dev/net/tun`` exists.
--- a/Documentation/intro/install/rhel.rst
+++ b/Documentation/intro/install/rhel.rst
@ -92,7 +92,7 @@ Once that is completed, remove the file ``/tmp/ovs.spec``.
 If python3-sphinx package is not available in your version of RHEL, you can
 install it via pip with 'pip install sphinx'.

-Open vSwitch requires python 3.6 or newer which is not available in older
+Open vSwitch requires python 3.7 or newer which is not available in older
 distributions.  For those, one option is to build and install required version
 from source.

--- a/Documentation/intro/install/windows.rst
+++ b/Documentation/intro/install/windows.rst
@ -56,7 +56,7 @@ The following explains the steps in some detail.

      'C:/MinGW /mingw'.

- Python 3.6 or later.
+- Python 3.7 or later.

  Install the latest Python 3.x from python.org and verify that its path is
  part of Windows' PATH environment variable.
--- a/1
+++ b/1
@ -33,6 +33,7 @@ Post-v3.4.0
     * Added tool called "ovs-flowviz" capable of parsing OpenFlow
       and datapath flow dumps and displaying them in several different
       formats.
+     * Dropped support for Python < 3.7.
   - DPDK:
     * OVS validated with DPDK 23.11.2.
     * Add hardware offload support for matching ICMPv6 protocol
--- a/m4/openvswitch.m4
+++ b/m4/openvswitch.m4
@ -359,22 +359,22 @@ dnl Checks for valgrind/valgrind.h.
 AC_DEFUN([OVS_CHECK_VALGRIND],
  [AC_CHECK_HEADERS([valgrind/valgrind.h])])

-dnl Checks for Python 3.6 or later.
+dnl Checks for Python 3.7 or later.
 AC_DEFUN([OVS_CHECK_PYTHON3],
  [AC_CACHE_CHECK(
-     [for Python 3 (version 3.6 or later)],
+     [for Python 3 (version 3.7 or later)],
     [ovs_cv_python3],
     [if test -n "$PYTHON3"; then
        ovs_cv_python3=$PYTHON3
      else
        ovs_cv_python3=no
-        for binary in python3 python3.6 python3.7 python3.8 python3.9 python3.10 python3.11 python3.12; do
+        for binary in python3 python3.7 python3.8 python3.9 python3.10 python3.11 python3.12 python3.13; do
          ovs_save_IFS=$IFS; IFS=$PATH_SEPARATOR
          for dir in $PATH; do
            IFS=$ovs_save_IFS
            test -z "$dir" && dir=.
            if test -x "$dir"/"$binary" && "$dir"/"$binary" -c 'import sys
-if sys.hexversion >= 0x03060000 and sys.hexversion < 0x04000000:
+if sys.hexversion >= 0x03070000 and sys.hexversion < 0x04000000:
    sys.exit(0)
 else:
    sys.exit(1)'; then
@ -385,7 +385,7 @@ else:
        done
      fi])
   if test "$ovs_cv_python3" = no; then
-     AC_MSG_ERROR([Python 3.6 or later is required but not found in $PATH, please install it or set $PYTHON3 to point to it])
+     AC_MSG_ERROR([Python 3.7 or later is required but not found in $PATH, please install it or set $PYTHON3 to point to it])
   fi
   AC_ARG_VAR([PYTHON3])
   PYTHON3=$ovs_cv_python3])
--- a/python/ovs/stream.py
+++ b/python/ovs/stream.py
@ -794,10 +794,9 @@ class SSLStream(Stream):
        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
        ctx.verify_mode = ssl.CERT_REQUIRED
        ctx.check_hostname = False
-        ctx.options |= ssl.OP_NO_SSLv2
-        ctx.options |= ssl.OP_NO_SSLv3
-        ctx.options |= ssl.OP_NO_TLSv1
-        ctx.options |= ssl.OP_NO_TLSv1_1
+        # Only allow TLSv1.2 or later.
+        ctx.minimum_version = ssl.TLSVersion.TLSv1_2
+        ctx.maximum_version = ssl.TLSVersion.MAXIMUM_SUPPORTED
        # If the client has not set the SSL/TLS configuration files
        # exception would be raised.
        ctx.load_verify_locations(Stream._SSL_ca_cert_file)
--- a/python/setup.py.template
+++ b/python/setup.py.template
@ -93,7 +93,7 @@ setup_args = dict(
        'Topic :: System :: Networking',
        'License :: OSI Approved :: Apache Software License',
        'Programming Language :: Python :: 3',
-        'Programming Language :: Python :: 3.6',
+        'Programming Language :: Python :: 3.7',
    ],
    ext_modules=[setuptools.Extension("ovs._json",
                                      sources=["ovs/_json.c"],