mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-31 06:15:47 +00:00
Code Issues Releases Wiki Activity

stream-ssl: Add explicit support for configuring TLSv1.3.

Browse Source 
TLSv1.3 is currently only supported implicitly, if the --ssl-protocols
are not provided.  Or with the recent range support like "TLSv1.2+".
However, it is not possible to explicitly ask for TLSv1.3 or set a
custom list of ciphersuites for it.  Fix that by adding TLSv1.3 to the
list of available protocols and adding a new --ssl-ciphersuites option.

The new option is necessary, because --ssl-ciphers translates into
SSL_CTX_set_cipher_list() that configures ciphers for TLSv1.2 and
earlier.  SSL_CTX_set_ciphersuites() sets ciphersuites for TLSv1.3
and later.

Tests updated to exercise new options and to reduce the use of
deprecated TLSv1 and TLSv1.1.

TLSv1.3 support was introduced in OpenSSL 1.1.1.

Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
This commit is contained in:
Ilya Maximets
2024-12-09 17:38:53 +01:00
parent 0e23c9cab8
commit 4d09d6b48e
9 changed files with 137 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
lib/stream-ssl.c
View File

@@ -166,6 +166,7 @@ static struct ssl_config_file certificate;
static struct ssl_config_file ca_cert;
static char *ssl_protocols = "TLSv1.2+";
static char *ssl_ciphers = "DEFAULT:@SECLEVEL=2";
static char *ssl_ciphersuites = ""; /* Using default ones, unless specified. */
/* Ordinarily, the SSL client and server verify each other's certificates using
* a CA certificate. Setting this to false disables this behavior. (This is a
@@ -1220,8 +1221,8 @@ stream_ssl_set_key_and_cert(const char *private_key_file,
}
}
/* Sets SSL/TLS ciphers based on string input. Aborts with an error message
* if 'arg' is invalid. */
/* Sets SSL/TLS ciphers for TLSv1.2 and earlier based on string input.
* Aborts with an error message if 'arg' is not valid. */
void
stream_ssl_set_ciphers(const char *arg)
{
@@ -1235,6 +1236,21 @@ stream_ssl_set_ciphers(const char *arg)
ssl_ciphers = xstrdup(arg);
}
/* Sets TLS ciphersuites for TLSv1.3 and later based on string input.
* Aborts with an error message if 'arg' is not valid. */
void
stream_ssl_set_ciphersuites(const char *arg)
{
if (ssl_init() || !arg || !strcmp(ssl_ciphersuites, arg)) {
return;
}
if (SSL_CTX_set_ciphersuites(ctx, arg) == 0) {
VLOG_ERR("SSL_CTX_set_ciphersuites: %s",
ERR_error_string(ERR_get_error(), NULL));
}
ssl_ciphersuites = xstrdup(arg);
}
/* Set SSL/TLS protocols based on the string input. Aborts with an error
* message if 'arg' is invalid. */
void
@@ -1254,6 +1270,7 @@ stream_ssl_set_protocols(const char *arg)
{"TLSv1", TLS1_VERSION, true },
{"TLSv1.1", TLS1_1_VERSION, true },
{"TLSv1.2", TLS1_2_VERSION, false},
{"TLSv1.3", TLS1_3_VERSION, false},
};
char *dash = strchr(arg, '-');
bool or_later = false;