mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-31 06:15:47 +00:00
Code Issues Releases Wiki Activity

treewide: Refer to SSL configuration as SSL/TLS.

Browse Source 
SSL protocol family is not actually being used or supported in OVS.
What we use is actually TLS.

Terms "SSL" and "TLS" are often used interchangeably in modern
software and refer to the same thing, which is normally just TLS.

Let's replace "SSL" with "SSL/TLS" in documentation and user-visible
messages, where it makes sense.  This may make it more clear what
is meant for a less experienced user that may look for TLS support
in OVS and not find much.

We're not changing any actual code, because, for example, most of
OpenSSL APIs are using just SSL, for historical reasons.  And our
database is using "SSL" table.  We may consider migrating to "TLS"
naming for user-visible configuration like command line arguments
and database names, but that will require extra work on making sure
upgrades can still work.  In general, a slightly more clear
documentation should be enough for now, especially since term SSL
is still widely used in the industry.

"SSL/TLS" is chosen over "TLS/SSL" simply because our user-visible
configuration knobs are using "SSL" naming, e.g. '--ssl-cyphers'
or 'ovs-vsctl set-ssl'.  So, it might be less confusing this way.
We may switch that, if we decide on re-working the user-visible
commands towards "TLS" naming, or providing both alternatives.

Some other projects did similar changes.  For example, the python ssl
library is now using "TLS/SSL" in the documentation whenever possible.
Same goes for OpenSSL itself.

Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
This commit is contained in:
Ilya Maximets
2024-12-09 17:38:45 +01:00
parent 923a80d1d1
commit 49f299313d
33 changed files with 212 additions and 203 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
lib/stream-ssl.c
View File

@@ -64,7 +64,7 @@
VLOG_DEFINE_THIS_MODULE(stream_ssl);
/* Active SSL. */
/* Active SSL/TLS. */
enum ssl_state {
STATE_TCP_CONNECTING,
@@ -567,7 +567,8 @@ ssl_connect(struct stream *stream)
* certificate, but that's more trouble than it's worth. These
* connections will succeed the next time they retry, assuming that
* they have a certificate against the correct CA.) */
VLOG_INFO("rejecting SSL connection during bootstrap race window");
VLOG_INFO(
"rejecting SSL/TLS connection during bootstrap race window");
return EPROTO;
} else {
#if OPENSSL_SUPPORTS_SNI
@@ -671,7 +672,7 @@ interpret_ssl_error(const char *function, int ret, int error,
function, ovs_strerror(status));
return status;
} else {
VLOG_WARN_RL(&rl, "%s: unexpected SSL connection close",
VLOG_WARN_RL(&rl, "%s: unexpected SSL/TLS connection close",
function);
return EPROTO;
}
@@ -873,7 +874,7 @@ const struct stream_class ssl_stream_class = {
ssl_wait, /* wait */
};
/* Passive SSL. */
/* Passive SSL/TLS. */
struct pssl_pstream
{
@@ -1056,8 +1057,8 @@ do_ssl_init(void)
/* OpenSSL has a bunch of "connection methods": SSLv2_method(),
* SSLv3_method(), TLSv1_method(), SSLv23_method(), ... Most of these
* support exactly one version of SSL, e.g. TLSv1_method() supports TLSv1
* only, not any earlier *or later* version. The only exception is
* support exactly one version of SSL/TLS, e.g. TLSv1_method() supports
* TLSv1 only, not any earlier *or later* version. The only exception is
* SSLv23_method(), which in fact supports *any* version of SSL and TLS.
* We don't want SSLv2 or SSLv3 support, so we turn it off below with
* SSL_CTX_set_options().
@@ -1132,7 +1133,7 @@ tmp_dh_callback(SSL *ssl OVS_UNUSED, int is_export OVS_UNUSED, int keylength)
}
#endif
/* Returns true if SSL is at least partially configured. */
/* Returns true if SSL/TLS is at least partially configured. */
bool
stream_ssl_is_configured(void)
{
@@ -1243,7 +1244,7 @@ stream_ssl_set_key_and_cert(const char *private_key_file,
}
}
/* Sets SSL ciphers based on string input. Aborts with an error message
/* Sets SSL/TLS ciphers based on string input. Aborts with an error message
* if 'arg' is invalid. */
void
stream_ssl_set_ciphers(const char *arg)
@@ -1258,8 +1259,8 @@ stream_ssl_set_ciphers(const char *arg)
ssl_ciphers = xstrdup(arg);
}
/* Set SSL protocols based on the string input. Aborts with an error message
* if 'arg' is invalid. */
/* Set SSL/TLS protocols based on the string input. Aborts with an error
* message if 'arg' is invalid. */
void
stream_ssl_set_protocols(const char *arg)
{
@@ -1289,7 +1290,7 @@ stream_ssl_set_protocols(const char *arg)
char *save_ptr = NULL;
char *word = strtok_r(s, " ,\t", &save_ptr);
if (word == NULL) {
VLOG_ERR("SSL protocol settings invalid");
VLOG_ERR("SSL/TLS protocol settings invalid");
goto exit;
}
while (word != NULL) {
@@ -1306,7 +1307,7 @@ stream_ssl_set_protocols(const char *arg)
}
if (!no_flag) {
VLOG_ERR("%s: SSL protocol not recognized", word);
VLOG_ERR("%s: SSL/TLS protocol not recognized", word);
goto exit;
}
@@ -1484,17 +1485,18 @@ stream_ssl_set_ca_cert_file__(const char *file_name,
}
/* Sets 'file_name' as the name of the file from which to read the CA
* certificate used to verify the peer within SSL connections. If 'bootstrap'
* is false, the file must exist. If 'bootstrap' is false, then the file is
* read if it is exists; if it does not, then it will be created from the CA
* certificate received from the peer on the first SSL connection. */
* certificate used to verify the peer within SSL/TLS connections. If
* 'bootstrap' is false, the file must exist. If 'bootstrap' is false, then
* the file is read if it is exists; if it does not, then it will be created
* from the CA certificate received from the peer on the first SSL/TLS
* connection. */
void
stream_ssl_set_ca_cert_file(const char *file_name, bool bootstrap)
{
stream_ssl_set_ca_cert_file__(file_name, bootstrap, false);
}
/* SSL protocol logging. */
/* SSL/TLS protocol logging. */
static const char *
ssl_alert_level_to_string(uint8_t type)