stream-ssl: Drop support for OpenSSL 1.1.0 and older.

OpenSSL 1.1.0 reached EoL 5 years ago on 11 Sep 2019. Vast majority of distributions moved to newer versions long time ago. OpenSSL 1.1.1 introduced a lot of new APIs and deprecated a lot of old ones. It also introduced support for TLSv1.3 with a pack of APIs specific to that version. Requiring OpenSSL 1.1.1 or newer will allow us to get rid of use of many deprecated APIs as well as introduce explicit support for TLSv1.3 without polluting the code with conditional compiling. Python community did an exceptional investigation on benefits of dropping support for OpenSSL 1.1.0 when they did the same in 2021: https://peps.python.org/pep-0644/ We do not officially support building with LibreSSL, but all the ifdefs for it are not necessary today, as LibreSSL implemented all the missing APIs. Also, most major distributions either moved away from LibreSSL or provide OpenSSL as an alternative. This commit only removes explicit workarounds. We'll start replacing deprecated APIs in the next ones. OpenSSL 1.1.1 also reached end of life in 2023, but it's not a big burden to support, and many distributions are still using it and will continue using it for quite some time. Acked-by: Eelco Chaudron <echaudro@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2025-08-22 09:58:01 +00:00 · 2024-12-09 17:38:46 +01:00 · 2024-12-09 17:38:46 +01:00 · 4b2016b82f
commit 4b2016b82f
parent 49f299313d
7 changed files with 2 additions and 57 deletions
--- a/1
+++ b/1
@ -14,6 +14,7 @@ Post-v3.4.0
     * TLSv1 and TLSv1.1 protocols are deprecated and disabled by default
       on OpenFlow and database connections.  Use --ssl-protocols to turn
       them back on.  Support will be fully removed in the next release.
+     * OpenSSL 1.1.1 or newer is now required for SSL/TLS support.
   - Userspace datapath:
     * The default zone limit, if set, is now inherited by any zone
       that does not have a specific value defined, rather than being
--- a/build-aux/generate-dhparams-c
+++ b/build-aux/generate-dhparams-c
@ -83,13 +83,7 @@ static int
 my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g)
 {
    ovs_assert(q == NULL);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
-    dh->p = p;
-    dh->g = g;
-    return 1;
-#else
    return DH_set0_pqg(dh, p, NULL, g);
-#endif
 }
 EOF
 dhparam_to_c lib/dh2048.pem
--- a/lib/dhparams.c
+++ b/lib/dhparams.c
@ -11,13 +11,7 @@ static int
 my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g)
 {
    ovs_assert(q == NULL);
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
-    dh->p = p;
-    dh->g = g;
-    return 1;
-#else
    return DH_set0_pqg(dh, p, NULL, g);
-#endif
 }
 DH *get_dh2048(void)
 {
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@ -286,14 +286,12 @@ new_ssl_stream(char *name, char *server_name, int fd, enum session_type type,
    if (!verify_peer_cert || (bootstrap_ca_cert && type == CLIENT)) {
        SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL);
    }
-#if OPENSSL_SUPPORTS_SNI
    if (server_name && !SSL_set_tlsext_host_name(ssl, server_name)) {
        VLOG_ERR("%s: failed to set server name indication (%s)",
                 server_name, ERR_error_string(ERR_get_error(), NULL));
        retval = ENOPROTOOPT;
        goto error;
    }
-#endif

    /* Create and return the ssl_stream. */
    sslv = xmalloc(sizeof *sslv);
@ -499,14 +497,7 @@ get_peer_common_name(const struct ssl_stream *sslv)
        goto error;
    }

-    const char *cn;
-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
-    /* ASN1_STRING_data() is deprecated as of OpenSSL version 1.1 */
-    cn = (const char *)ASN1_STRING_data(cn_data);
-#else
-    cn = (const char *)ASN1_STRING_get0_data(cn_data);
- #endif
-    peer_name = xstrdup(cn);
+    peer_name = xstrdup((const char *) ASN1_STRING_get0_data(cn_data));

 error:
    X509_free(peer_cert);
@ -571,13 +562,11 @@ ssl_connect(struct stream *stream)
                "rejecting SSL/TLS connection during bootstrap race window");
            return EPROTO;
        } else {
-#if OPENSSL_SUPPORTS_SNI
            const char *servername = SSL_get_servername(
                sslv->ssl, TLSEXT_NAMETYPE_host_name);
            if (servername) {
                VLOG_DBG("connection indicated server name %s", servername);
            }
-#endif

            char *cn = get_peer_common_name(sslv);

@ -1016,15 +1005,6 @@ do_ssl_init(void)
 {
    SSL_METHOD *method;

-#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER)
-#ifdef _WIN32
-    /* The following call is needed if we "#include <openssl/applink.c>". */
-    CRYPTO_malloc_init();
-#endif
-    SSL_library_init();
-    SSL_load_error_strings();
-#endif
-
    if (!RAND_status()) {
        /* We occasionally see OpenSSL fail to seed its random number generator
         * in heavily loaded hypervisors.  I suspect the following scenario:
@ -1269,12 +1249,6 @@ stream_ssl_set_protocols(const char *arg)
    }

    /* Start with all the flags off and turn them on as requested. */
-#ifndef SSL_OP_NO_SSL_MASK
-    /* For old OpenSSL without this macro, this is the correct value.  */
-#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | \
-                            SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | \
-                            SSL_OP_NO_TLSv1_2)
-#endif
    long protocol_flags = SSL_OP_NO_SSL_MASK;
    struct {
        const char *name;
--- a/m4/openvswitch.m4
+++ b/m4/openvswitch.m4
@ -293,22 +293,6 @@ OpenFlow connections over SSL/TLS will not be supported.
   if test "$HAVE_OPENSSL" = yes; then
      AC_DEFINE([HAVE_OPENSSL], [1], [Define to 1 if OpenSSL is installed.])
   fi
-
-   OPENSSL_SUPPORTS_SNI=no
-   if test $HAVE_OPENSSL = yes; then
-      save_CPPFLAGS=$CPPFLAGS
-      CPPFLAGS="$CPPFLAGS $SSL_INCLUDES"
-      AC_CHECK_DECL([SSL_set_tlsext_host_name], [OPENSSL_SUPPORTS_SNI=yes],
-                    [], [#include <openssl/ssl.h>
-])
-      if test $OPENSSL_SUPPORTS_SNI = yes; then
-        AC_DEFINE(
-          [OPENSSL_SUPPORTS_SNI], [1],
-          [Define to 1 if OpenSSL supports Server Name Indication (SNI).])
-      fi
-      CPPFLAGS=$save_CPPFLAGS
-   fi
-   AC_SUBST([OPENSSL_SUPPORTS_SNI])
 ])

 dnl Checks for libraries needed by lib/socket-util.c.
--- a/tests/atlocal.in
+++ b/tests/atlocal.in
@ -1,6 +1,5 @@
 # -*- shell-script -*-
 HAVE_OPENSSL='@HAVE_OPENSSL@'
-OPENSSL_SUPPORTS_SNI='@OPENSSL_SUPPORTS_SNI@'
 HAVE_UNBOUND='@HAVE_UNBOUND@'
 HAVE_BACKTRACE='@HAVE_BACKTRACE@'
 HAVE_UNWIND='@HAVE_UNWIND@'
--- a/tests/ovs-vsctl.at
+++ b/tests/ovs-vsctl.at
@ -1734,7 +1734,6 @@ AT_CLEANUP
 AT_SETUP([TLS server name indication (SNI)])
 AT_KEYWORDS([ovsdb server positive ssl tls sni])
 AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
-AT_SKIP_IF([test "$OPENSSL_SUPPORTS_SNI" = no])
 AT_SKIP_IF([test "$HAVE_UNBOUND" = no])
 OVSDB_INIT([conf.db])
 PKIDIR=$abs_top_builddir/tests