ovn: ssl proto/cipher configuration in nb/sb db

Add SSL protocol and cipher columns to SSL tables in northbound and southbound databases. Start nb/sb ovsdb-server with command- line options to use these columns. Add support to ovn-nbctl and ovn-sbctl "set-ssl" commands for user-friendly management of these settings. Signed-off-by: Lance Richardson <lrichard@redhat.com> Signed-off-by: Ben Pfaff <blp@ovn.org>
2025-08-22 01:51:26 +00:00 · 2017-06-07 13:35:20 -04:00 · 2017-06-07 13:35:20 -04:00 · 51af591bd3
commit 51af591bd3
parent 6cf5c52147
10 changed files with 64 additions and 10 deletions
--- a/ovn/ovn-nb.ovsschema
+++ b/ovn/ovn-nb.ovsschema
@ -1,7 +1,7 @@
 {
    "name": "OVN_Northbound",
    "version": "5.6.0",
-    "cksum": "1358108512 15019",
+    "cksum": "2552205612 15123",
    "tables": {
        "NB_Global": {
            "columns": {
@ -287,6 +287,8 @@
                "certificate": {"type": "string"},
                "ca_cert": {"type": "string"},
                "bootstrap_ca_cert": {"type": "boolean"},
+                "ssl_protocols": {"type": "string"},
+                "ssl_ciphers": {"type": "string"},
                "external_ids": {"type": {"key": "string",
                                          "value": "string",
                                          "min": 0,
--- a/ovn/ovn-nb.xml
+++ b/ovn/ovn-nb.xml
@ -2084,6 +2084,17 @@
      CA certificate.</em>  It may still be useful for bootstrapping.
    </column>

+    <column name="ssl_protocols">
+      List of SSL protocols to be enabled for SSL connections. The default
+      when this option is omitted is <code>TLSv1,TLSv1.1,TLSv1.2</code>.
+    </column>
+
+    <column name="ssl_ciphers">
+      List of ciphers (in OpenSSL cipher string format) to be supported
+      for SSL connections. The default when this option is omitted is
+      <code>HIGH:!aNULL:!MD5</code>.
+    </column>
+
    <group title="Common Columns">
      The overall purpose of these columns is described under <code>Common
      Columns</code> at the beginning of this document.
--- a/ovn/ovn-sb.ovsschema
+++ b/ovn/ovn-sb.ovsschema
@ -1,7 +1,7 @@
 {
    "name": "OVN_Southbound",
    "version": "1.12.1",
-    "cksum": "1914140659 10905",
+    "cksum": "761192506 11009",
    "tables": {
        "SB_Global": {
            "columns": {
@ -201,6 +201,8 @@
                "certificate": {"type": "string"},
                "ca_cert": {"type": "string"},
                "bootstrap_ca_cert": {"type": "boolean"},
+                "ssl_protocols": {"type": "string"},
+                "ssl_ciphers": {"type": "string"},
                "external_ids": {"type": {"key": "string",
                                          "value": "string",
                                          "min": 0,
--- a/ovn/ovn-sb.xml
+++ b/ovn/ovn-sb.xml
@ -2779,6 +2779,17 @@ tcp.flags = RST;
      CA certificate.</em>  It may still be useful for bootstrapping.
    </column>

+    <column name="ssl_protocols">
+      List of SSL protocols to be enabled for SSL connections. The default
+      when this option is omitted is <code>TLSv1,TLSv1.1,TLSv1.2</code>.
+    </column>
+
+    <column name="ssl_ciphers">
+      List of ciphers (in OpenSSL cipher string format) to be supported
+      for SSL connections. The default when this option is omitted is
+      <code>HIGH:!aNULL:!MD5</code>.
+    </column>
+
    <group title="Common Columns">
      The overall purpose of these columns is described under <code>Common
      Columns</code> at the beginning of this document.
--- a/ovn/utilities/ovn-ctl
+++ b/ovn/utilities/ovn-ctl
@ -108,6 +108,8 @@ start_nb_ovsdb() {
        set "$@" --private-key=db:OVN_Northbound,SSL,private_key
        set "$@" --certificate=db:OVN_Northbound,SSL,certificate
        set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert
+        set "$@" --ssl-protocols=db:OVN_Northbound,SSL,ssl_protocols
+        set "$@" --ssl-ciphers=db:OVN_Northbound,SSL,ssl_ciphers

        if test X"$DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then
            set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR
@ -141,6 +143,8 @@ start_sb_ovsdb() {
        set "$@" --private-key=db:OVN_Southbound,SSL,private_key
        set "$@" --certificate=db:OVN_Southbound,SSL,certificate
        set "$@" --ca-cert=db:OVN_Southbound,SSL,ca_cert
+        set "$@" --ssl-protocols=db:OVN_Southbound,SSL,ssl_protocols
+        set "$@" --ssl-ciphers=db:OVN_Southbound,SSL,ssl_ciphers

        if test X"$DB_SB_CREATE_INSECURE_REMOTE" = Xyes; then
            set "$@" --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR
--- a/ovn/utilities/ovn-nbctl.8.xml
+++ b/ovn/utilities/ovn-nbctl.8.xml
@ -796,7 +796,9 @@
      Deletes the current SSL configuration.
      </dd>

-      <dt>[<code>--bootstrap</code>] <code>set-ssl</code> <var>private-key</var> <var>certificate</var> <var>ca-cert</var></dt>
+      <dt>[<code>--bootstrap</code>] <code>set-ssl</code>
+         <var>private-key</var> <var>certificate</var> <var>ca-cert</var>
+         [<var>ssl-protocol-list</var> [<var>ssl-cipher-list</var>]]</dt>
      <dd>
      Sets the SSL configuration.
      </dd>
--- a/ovn/utilities/ovn-nbctl.c
+++ b/ovn/utilities/ovn-nbctl.c
@ -430,7 +430,8 @@ Connection commands:\n\
 SSL commands:\n\
  get-ssl                     print the SSL configuration\n\
  del-ssl                     delete the SSL configuration\n\
-  set-ssl PRIV-KEY CERT CA-CERT  set the SSL configuration\n\
+  set-ssl PRIV-KEY CERT CA-CERT [SSL-PROTOS [SSL-CIPHERS]] \
+set the SSL configuration\n\
 \n\
 %s\
 \n\
@ -3069,6 +3070,13 @@ cmd_set_ssl(struct ctl_context *ctx)

    nbrec_ssl_set_bootstrap_ca_cert(ssl, bootstrap);

+    if (ctx->argc == 5) {
+        nbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]);
+    } else if (ctx->argc == 6) {
+        nbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]);
+        nbrec_ssl_set_ssl_ciphers(ssl, ctx->argv[5]);
+    }
+
    nbrec_nb_global_set_ssl(nb_global, ssl);
 }

@ -3463,8 +3471,9 @@ static const struct ctl_command_syntax nbctl_commands[] = {
    /* SSL commands. */
    {"get-ssl", 0, 0, "", pre_cmd_get_ssl, cmd_get_ssl, NULL, "", RO},
    {"del-ssl", 0, 0, "", pre_cmd_del_ssl, cmd_del_ssl, NULL, "", RW},
-    {"set-ssl", 3, 3, "PRIVATE-KEY CERTIFICATE CA-CERT", pre_cmd_set_ssl,
-     cmd_set_ssl, NULL, "--bootstrap", RW},
+    {"set-ssl", 3, 5,
+        "PRIVATE-KEY CERTIFICATE CA-CERT [SSL-PROTOS [SSL-CIPHERS]]",
+        pre_cmd_set_ssl, cmd_set_ssl, NULL, "--bootstrap", RW},

    {NULL, 0, 0, NULL, NULL, NULL, NULL, "", RO},
 };
--- a/ovn/utilities/ovn-sbctl.8.in
+++ b/ovn/utilities/ovn-sbctl.8.in
@ -246,7 +246,7 @@ Prints the SSL configuration.
 .IP "\fBdel\-ssl\fR"
 Deletes the current SSL configuration.
 .
-.IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR \fIca-cert\fR"
+.IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR \fIca-cert\fR [\fIssl-protocol-list\fR [\fIssl-cipher-list\fR]]"
 Sets the SSL configuration.  The \fB\-\-bootstrap\fR option is described
 below.
 .
--- a/ovn/utilities/ovn-sbctl.c
+++ b/ovn/utilities/ovn-sbctl.c
@ -319,7 +319,8 @@ Connection commands:\n\
 SSL commands:\n\
  get-ssl                     print the SSL configuration\n\
  del-ssl                     delete the SSL configuration\n\
-  set-ssl PRIV-KEY CERT CA-CERT  set the SSL configuration\n\
+  set-ssl PRIV-KEY CERT CA-CERT [SSL-PROTOS [SSL-CIPHERS]] \
+set the SSL configuration\n\
 \n\
 %s\
 \n\
@ -1114,6 +1115,13 @@ cmd_set_ssl(struct ctl_context *ctx)

    sbrec_ssl_set_bootstrap_ca_cert(ssl, bootstrap);

+    if (ctx->argc == 5) {
+        sbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]);
+    } else if (ctx->argc == 6) {
+        sbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]);
+        sbrec_ssl_set_ssl_ciphers(ssl, ctx->argv[5]);
+    }
+
    sbrec_sb_global_set_ssl(sb_global, ssl);
 }

@ -1407,8 +1415,9 @@ static const struct ctl_command_syntax sbctl_commands[] = {
    /* SSL commands. */
    {"get-ssl", 0, 0, "", pre_cmd_get_ssl, cmd_get_ssl, NULL, "", RO},
    {"del-ssl", 0, 0, "", pre_cmd_del_ssl, cmd_del_ssl, NULL, "", RW},
-    {"set-ssl", 3, 3, "PRIVATE-KEY CERTIFICATE CA-CERT", pre_cmd_set_ssl,
-     cmd_set_ssl, NULL, "--bootstrap", RW},
+    {"set-ssl", 3, 5,
+        "PRIVATE-KEY CERTIFICATE CA-CERT [SSL-PROTOS [SSL-CIPHERS]]",
+        pre_cmd_set_ssl, cmd_set_ssl, NULL, "--bootstrap", RW},

    {NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, RO},
 };
--- a/tutorial/ovs-sandbox
+++ b/tutorial/ovs-sandbox
@ -350,6 +350,8 @@ if $ovn; then
        --private-key=db:OVN_Northbound,SSL,private_key \
        --certificate=db:OVN_Northbound,SSL,certificate \
        --ca-cert=db:OVN_Northbound,SSL,ca_cert \
+        --ssl-protocols=db:OVN_Northbound,SSL,ssl_protocols \
+        --ssl-ciphers=db:OVN_Northbound,SSL,ssl_ciphers \
        --remote=punix:"$sandbox"/ovnnb_db.sock $ovsdb_nb_server_args
    rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \
        --pidfile="$sandbox"/ovnsb_db.pid -vconsole:off \
@ -358,6 +360,8 @@ if $ovn; then
        --private-key=db:OVN_Southbound,SSL,private_key \
        --certificate=db:OVN_Southbound,SSL,certificate \
        --ca-cert=db:OVN_Southbound,SSL,ca_cert \
+        --ssl-protocols=db:OVN_Southbound,SSL,ssl_protocols \
+        --ssl-ciphers=db:OVN_Southbound,SSL,ssl_ciphers \
        --remote=punix:"$sandbox"/ovnsb_db.sock $ovsdb_sb_server_args
    # Start SB back up server
    rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \