treewide: Refer to SSL configuration as SSL/TLS.

SSL protocol family is not actually being used or supported in OVS. What we use is actually TLS. Terms "SSL" and "TLS" are often used interchangeably in modern software and refer to the same thing, which is normally just TLS. Let's replace "SSL" with "SSL/TLS" in documentation and user-visible messages, where it makes sense. This may make it more clear what is meant for a less experienced user that may look for TLS support in OVS and not find much. We're not changing any actual code, because, for example, most of OpenSSL APIs are using just SSL, for historical reasons. And our database is using "SSL" table. We may consider migrating to "TLS" naming for user-visible configuration like command line arguments and database names, but that will require extra work on making sure upgrades can still work. In general, a slightly more clear documentation should be enough for now, especially since term SSL is still widely used in the industry. "SSL/TLS" is chosen over "TLS/SSL" simply because our user-visible configuration knobs are using "SSL" naming, e.g. '--ssl-cyphers' or 'ovs-vsctl set-ssl'. So, it might be less confusing this way. We may switch that, if we decide on re-working the user-visible commands towards "TLS" naming, or providing both alternatives. Some other projects did similar changes. For example, the python ssl library is now using "TLS/SSL" in the documentation whenever possible. Same goes for OpenSSL itself. Acked-by: Eelco Chaudron <echaudro@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2025-08-31 14:25:26 +00:00 · 2024-12-09 17:38:45 +01:00
parent 923a80d1d1
commit 49f299313d
33 changed files with 212 additions and 203 deletions
--- a/python/ovs/reconnect.py
+++ b/python/ovs/reconnect.py
@@ -537,7 +537,7 @@ class Reconnect(object):
              connections that quickly abort, so it is OK to call
              self.connected() after a low-level successful connection
              (e.g. connect()) even if the connection might soon abort due to a
-              failure at a high-level (e.g. SSL negotiation failure).
+              failure at a high-level (e.g. SSL/TLS negotiation failure).

            - Passive client, ovs.reconnect.CONNECT: The client should try to
              listen for a connection, if it is not already listening.  It
--- a/python/ovs/stream.py
+++ b/python/ovs/stream.py
@@ -728,7 +728,7 @@ def usage(name):
 Active %s connection methods:
  unix:FILE               Unix domain socket named FILE
  tcp:HOST:PORT           TCP socket to HOST with port no of PORT
-  ssl:HOST:PORT           SSL socket to HOST with port no of PORT
+  ssl:HOST:PORT           SSL/TLS socket to HOST with port no of PORT

 Passive %s connection methods:
  punix:FILE              Listen on Unix domain socket FILE""" % (name, name)
@@ -797,7 +797,7 @@ class SSLStream(Stream):
        ctx.options |= ssl.OP_NO_SSLv3
        ctx.options |= ssl.OP_NO_TLSv1
        ctx.options |= ssl.OP_NO_TLSv1_1
-        # If the client has not set the SSL configuration files
+        # If the client has not set the SSL/TLS configuration files
        # exception would be raised.
        ctx.load_verify_locations(Stream._SSL_ca_cert_file)
        ctx.load_cert_chain(Stream._SSL_certificate_file,
@@ -821,7 +821,7 @@ class SSLStream(Stream):
        if retval:
            return retval

-        # TCP Connection is successful. Now do the SSL handshake
+        # TCP Connection is successful. Now do the SSL/TLS handshake.
        try:
            self.socket.do_handshake()
        except ssl.SSLWantReadError:
@@ -864,5 +864,5 @@ class SSLStream(Stream):


 if ssl:
-    # Register SSL only if the OpenSSL module is available
+    # Register SSL/TLS only if the OpenSSL module is available.
    Stream.register_method("ssl", SSLStream)