stream-ssl: Remove support for deprecated TLSv1 and TLSv1.1.

TLSv1 and TLSv1.1 are officially deprecated by RFC 8996 since March of 2021: https://datatracker.ietf.org/doc/rfc8996/ Both protocols should not generally be used (RFC says MUST NOT) and are being actively removed from support by major distributions and libraries. They were deprecated and disabled by default in OVS 3.5 with the following commit: 923a80d1d1 ("stream-ssl: Deprecate and disable TLSv1 and TLSv1.1.") It's time to fully remove the support for these protocols. Some infrastructure and parts of the documentation look a little awkward since we're only supporting 2 versions of TLS now, so I tried to re-word the text a little. But I kept the code intact so we can easily add new versions when they appear or deprecate TLSv1.2 when the time comes, even though it may not be soon. Acked-by: Eelco Chaudron <echaudro@redhat.com> Acked-by: Kevin Traynor <ktraynor@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2025-09-05 08:45:23 +00:00 · 2025-02-24 22:26:24 +01:00
parent 19b8941620
commit 7b4d3137a1
5 changed files with 106 additions and 38 deletions
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -1221,7 +1221,7 @@ stream_ssl_set_key_and_cert(const char *private_key_file,
    }
 }

-/* Sets SSL/TLS ciphers for TLSv1.2 and earlier based on string input.
+/* Sets SSL/TLS ciphers for TLSv1.2 based on string input.
 * Aborts with an error message if 'arg' is not valid. */
 void
 stream_ssl_set_ciphers(const char *arg)
@@ -1267,8 +1267,6 @@ stream_ssl_set_protocols(const char *arg)
        bool deprecated;
    } protocols[] = {
        {"later",   0 /* any version */, false},
-        {"TLSv1",   TLS1_VERSION,        true },
-        {"TLSv1.1", TLS1_1_VERSION,      true },
        {"TLSv1.2", TLS1_2_VERSION,      false},
        {"TLSv1.3", TLS1_3_VERSION,      false},
    };