mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-31 06:15:47 +00:00
Code Issues Releases Wiki Activity

stream-ssl: Remove support for deprecated TLSv1 and TLSv1.1.

Browse Source 
TLSv1 and TLSv1.1 are officially deprecated by RFC 8996 since March
of 2021:  https://datatracker.ietf.org/doc/rfc8996/

Both protocols should not generally be used (RFC says MUST NOT) and
are being actively removed from support by major distributions and
libraries.  They were deprecated and disabled by default in OVS 3.5
with the following commit:
  923a80d1d1 ("stream-ssl: Deprecate and disable TLSv1 and TLSv1.1.")

It's time to fully remove the support for these protocols.

Some infrastructure and parts of the documentation look a little
awkward since we're only supporting 2 versions of TLS now, so I tried
to re-word the text a little.  But I kept the code intact so we can
easily add new versions when they appear or deprecate TLSv1.2 when
the time comes, even though it may not be soon.

Acked-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Kevin Traynor <ktraynor@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
This commit is contained in:
Ilya Maximets
2025-02-24 22:26:24 +01:00
parent 19b8941620
commit 7b4d3137a1
5 changed files with 106 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
NEWS
View File

@@ -5,6 +5,9 @@ Post-v3.5.0
- ovs-ctl:
* Added a new option, --oom-score=<score>, to set the daemons' Linux
Out-Of-Memory (OOM) killer score.
- SSL/TLS:
* Support for deprecated TLSv1 and TLSv1.1 protocols on OpenFlow and
database connections is now removed.
- Tunnels:
* Support for previously deprecated LISP and STT tunnel port types
is now removed.

26
lib/ssl-connect.man
View File

@@ -1,24 +1,24 @@
.IP "\fB\-\-ssl\-protocols=\fIprotocols\fR"
Specifies a range or a comma- or space-delimited list of the SSL/TLS protocols
\fB\*(PN\fR will enable for SSL/TLS connections. Supported
\fIprotocols\fR include \fBTLSv1\fR (deprecated), \fBTLSv1.1\fR (deprecated),
\fBTLSv1.2\fR and \fBTLSv1.3\fR. Ranges can be provided in a form of two
protocol names separated with a dash, or as a single protocol name with a plus
sign. For example, use \fBTLSv1.1-TLSv1.3\fR to allow \fBTLSv1.1\fR,
\fBTLSv1.2\fR and \fBTLSv1.3\fR. Use \fBTLSv1.2+\fR to allow \fBTLSv1.2\fR and
any later protocol. The option accepts a list of protocols or exactly one
range. The range is a preferred way of specifying protocols and the option
always behaves as if the range between the minimum and the maximum specified
version is provided, i.e., if the option is set to \fBTLSv1.1,TLSv1.3\fR, the
\fBTLSv1.2\fR will also be enabled as if it was a range.
\fB\*(PN\fR will enable for SSL/TLS connections. Supported \fIprotocols\fR
include \fBTLSv1.2\fR and \fBTLSv1.3\fR.
Ranges can be provided in a form of two protocol names separated with a dash,
or as a single protocol name with a plus sign. For example, use
\fBTLSv1.2-TLSv1.3\fR to allow \fBTLSv1.2\fR and \fBTLSv1.3\fR. Use
\fBTLSv1.2+\fR to allow \fBTLSv1.2\fR and any later protocol.
The option accepts a list of protocols or exactly one range. The
range is a preferred way of specifying protocols and the option always behaves
as if the range between the minimum and the maximum specified version is
provided, i.e., if the option is set to \fBTLSv1.X,TLSv1.(X+2)\fR, the
\fBTLSv1.(X+1)\fR will also be enabled as if it was a range.
Regardless of order, the highest protocol supported by both sides will
be chosen when making the connection. The default when this option is
omitted is \fBTLSv1.2\fR or later.
.
.IP "\fB\-\-ssl\-ciphers=\fIciphers\fR"
Specifies, in OpenSSL cipher string format, the ciphers \fB\*(PN\fR will
support for SSL/TLS connections with TLSv1.2 and earlier. The default when
this option is omitted is \fBDEFAULT:@SECLEVEL=2\fR.
support for SSL/TLS connections with TLSv1.2.
The default when this option is omitted is \fBDEFAULT:@SECLEVEL=2\fR.
.
.IP "\fB\-\-ssl\-ciphersuites=\fIciphersuites\fR"
Specifies, in OpenSSL ciphersuite string format, the ciphersuites

4
lib/stream-ssl.c
View File

@@ -1221,7 +1221,7 @@ stream_ssl_set_key_and_cert(const char *private_key_file,
}
}
/* Sets SSL/TLS ciphers for TLSv1.2 and earlier based on string input.
/* Sets SSL/TLS ciphers for TLSv1.2 based on string input.
* Aborts with an error message if 'arg' is not valid. */
void
stream_ssl_set_ciphers(const char *arg)
@@ -1267,8 +1267,6 @@ stream_ssl_set_protocols(const char *arg)
bool deprecated;
} protocols[] = {
{"later", 0 /* any version */, false},
{"TLSv1", TLS1_VERSION, true },
{"TLSv1.1", TLS1_1_VERSION, true },
{"TLSv1.2", TLS1_2_VERSION, false},
{"TLSv1.3", TLS1_3_VERSION, false},
};

2
lib/stream.c
View File

@@ -161,7 +161,7 @@ stream_usage(const char *name, bool active, bool passive,
printf("SSL/TLS options:\n"
" --ssl-protocols=PROTOS range of SSL/TLS protocols to enable\n"
" --ssl-ciphers=CIPHERS list of SSL/TLS ciphers to enable\n"
" with TLSv1.2 and earlier\n"
" with TLSv1.2\n"
" --ssl-ciphersuites=SUITES list of SSL/TLS ciphersuites to\n"
" enable with TLSv1.3 and later\n");
#endif

109
tests/ovsdb-server.at
View File

@@ -912,17 +912,6 @@ AT_CHECK_UNQUOTED(
[[@<:@{"rows":@<:@{"private_key":"$PKIDIR/testpki-privkey2.pem"}@:>@}@:>@
]], [ignore])
# Check that, when the server has TLSv1.2+ and the client has
# TLSv1.1, connection fails.
AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.1]), [1], [stdout], [stderr])
cat stderr > output
AT_CHECK_UNQUOTED(
[sed -n "/failed to connect/s/ (.*)//p" output], [0],
[ovsdb-client: failed to connect to "ssl:127.0.0.1:$SSL_PORT"
],
[ignore])
AT_CHECK([grep -q 'TLSv1.1 protocol is deprecated' output])
AT_CHECK([grep -q 'Enabled protocol range: TLSv1.1 - TLSv1.1' stderr])
# Check that when ciphers are not compatible, a negotiation
# failure occurs.
AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.2], [ECDHE-ECDSA-AES256-GCM-SHA384]),
@@ -954,22 +943,100 @@ AT_CHECK_UNQUOTED(
AT_CHECK([grep -q -E "(sslv3|ssl/tls) alert handshake failure" output])
# Checking parsing of different protocol ranges.
AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.1,TLSv1.3]), [0], [stdout], [stderr])
AT_CHECK([grep -q 'Enabled protocol range: TLSv1.1 - TLSv1.3' stderr])
AT_CHECK([grep -q \
'TLSv1.2 is not configured, but will be enabled anyway' stderr])
AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.1-TLSv1.3]), [0], [stdout], [stderr])
AT_CHECK([grep -q 'Enabled protocol range: TLSv1.1 - TLSv1.3' stderr])
AT_CHECK([grep -q 'will be enabled anyway' stderr], [1])
AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.3-TLSv1.1]), [0], [stdout], [stderr])
AT_CHECK([grep -q 'Enabled protocol range: TLSv1.1 - TLSv1.3' stderr])
AT_CHECK([grep -q 'will be enabled anyway' stderr], [1])
AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.2,TLSv1.3]), [0], [stdout], [stderr])
AT_CHECK([grep -q 'Enabled protocol range: TLSv1.2 - TLSv1.3' stderr])
AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.2-TLSv1.3]), [0], [stdout], [stderr])
AT_CHECK([grep -q 'Enabled protocol range: TLSv1.2 - TLSv1.3' stderr])
AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.3-TLSv1.2]), [0], [stdout], [stderr])
AT_CHECK([grep -q 'Enabled protocol range: TLSv1.2 - TLSv1.3' stderr])
AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.3+]), [0], [stdout], [stderr])
AT_CHECK([grep -q 'Enabled protocol range: TLSv1.3 or later' stderr])
AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.2-TLSv1.3,TLSv1.3+]), [0], [stdout], [stderr])
AT_CHECK([grep -q 'SSL/TLS protocol not recognized' stderr])
AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.2+TLSv1.3]), [0], [stdout], [stderr])
AT_CHECK([grep -q 'SSL/TLS protocol not recognized' stderr])
AT_CHECK(SSL_OVSDB_CLIENT([TLSv1+]), [0], [stdout], [stderr])
AT_CHECK([grep -q 'SSL/TLS protocol not recognized' stderr])
AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.1]), [0], [stdout], [stderr])
AT_CHECK([grep -q 'SSL/TLS protocol not recognized' stderr])
OVSDB_SERVER_SHUTDOWN(["
/stream_ssl|WARN/d
/Protocol error/d
"])
AT_CLEANUP
AT_SETUP([SSL/TLS db: implementation (TLSv1.3 only)])
AT_KEYWORDS([ovsdb server positive ssl tls $5])
AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
# For this test, we pass PKIDIR through a ovsdb-tool transact and
# msys on Windows does not convert the path style automatically.
# So, do that forcefully with a 'pwd -W' (called through pwd() function).
PKIDIR="$(cd $abs_top_builddir/tests && pwd)"
AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\"
\\]]"])
AT_DATA([schema],
[[{"name": "mydb",
"tables": {
"SSL": {
"columns": {
"private_key": {"type": "string"},
"certificate": {"type": "string"},
"ca_cert": {"type": "string"},
"ssl_protocols" : {"type": "string"},
"ssl_ciphers" : {"type" : "string"},
"ssl_ciphersuites" : {"type": "string"}
}}}}
]])
AT_CHECK([ovsdb-tool create db schema], [0], [stdout], [ignore])
AT_CHECK(
[[ovsdb-tool transact db \
'["mydb",
{"op": "insert",
"table": "SSL",
"row": {"private_key": "'"$PKIDIR/testpki-privkey2.pem"'",
"certificate": "'"$PKIDIR/testpki-cert2.pem"'",
"ca_cert": "'"$PKIDIR/testpki-cacert.pem"'",
"ssl_protocols": "'"TLSv1.3"'"
}}]']],
[0], [ignore], [ignore])
on_exit 'kill `cat *.pid`'
AT_CHECK(
[ovsdb-server --log-file --detach --no-chdir --pidfile \
--private-key=db:mydb,SSL,private_key \
--certificate=db:mydb,SSL,certificate \
--ca-cert=db:mydb,SSL,ca_cert \
--ssl-protocols=db:mydb,SSL,ssl_protocols \
--ssl-ciphers=db:mydb,SSL,ssl_ciphers \
--ssl-ciphersuites=db:mydb,SSL,ssl_ciphersuites \
--remote=pssl:0:127.0.0.1 db],
[0], [ignore], [ignore])
PARSE_LISTENING_PORT([ovsdb-server.log], [SSL_PORT])
# SSL_OVSDB_CLIENT(PROTOCOL)
m4_define([SSL_OVSDB_CLIENT], [dnl
ovsdb-client -vconsole:stream_ssl:dbg \
--private-key=$PKIDIR/testpki-privkey.pem \
--certificate=$PKIDIR/testpki-cert.pem \
--ca-cert=$PKIDIR/testpki-cacert.pem \
--ssl-protocols=[$1] \
transact ssl:127.0.0.1:$SSL_PORT \
'[[["mydb",
{"op": "select",
"table": "SSL",
"where": [],
"columns": ["private_key"]}]]]'])
# Check that, when the server has TLSv1.3 and the client has
# TLSv1.2, connection fails.
AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.2]), [1], [stdout], [stderr])
cat stderr > output
AT_CHECK_UNQUOTED(
[sed -n "/failed to connect/s/ (.*)//p" output], [0],
[ovsdb-client: failed to connect to "ssl:127.0.0.1:$SSL_PORT"
],
[ignore])
AT_CHECK([grep -q 'Enabled protocol range: TLSv1.2 - TLSv1.2' stderr])
OVSDB_SERVER_SHUTDOWN(["
/stream_ssl|WARN/d