stream-ssl: Deprecate and disable TLSv1 and TLSv1.1.

TLSv1 and TLSv1.1 are officially deprecated by RFC 8996 since March
of 2021:  https://datatracker.ietf.org/doc/rfc8996/

Both protocols should not generally be used (RFC says MUST NOT) and
are being actively removed from support by major distributions and
libraries.

Deprecate these protocols in OVS and turn them off by default.
Ability to use them preserved for now with a warning.  We'll fully
remove support in OVS 3.6.

Before this change, OVS would use TLSv1 or later, if the protocols
are not specified in the database or command line (this includes
TLSv1.3 that is not supported explicitly).  After the change, this
becomes TLSv1.2 or later.

Python library only supports client side of SSL/TLS and doesn't
support configuring protocols.  So, just turning off TLSv1 and
TLSv1.1.  Meaning, new python clients will not be able to connect
to servers that only have TLSv1.1 or lower.  This is a strange
configuration for a modern server and can be fixed by allowing the
server to use newer protocols.  So, there might not be a real need
in making client side configurable.  If the server is so old that
it doesn't support TLSv1.2, it may be a time to update it.

Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>

Documentation/howto/ssl.rst

@@ -34,9 +34,9 @@ This document describes how to configure an Open vSwitch to connect to an
 OpenFlow controller over SSL.  Refer to :doc:`/intro/install/general`. for
 instructions on building Open vSwitch with SSL support.
 
-Open vSwitch uses TLS version 1.0 or later (TLSv1), as specified by RFC 2246,
-which is very similar to SSL version 3.0.  TLSv1 was released in January 1999,
-so all current software and hardware should implement it.
+Open vSwitch uses TLS version 1.2 or later (TLSv1.2), as specified by
+RFC 5246.  TLSv1.2 was released in August 2008, so all current software and
+hardware should implement it.
 
 This document assumes basic familiarity with public-key cryptography and
 public-key infrastructure.

NEWS

@@ -10,6 +10,10 @@ Post-v3.4.0
      address fields: nw_dst, nw_src, ipv6_dst and ipv6_src.
      This allows to significantly reduce amount of datapath flows generated
      from mixed IPv4+IPv6 flow tables.
+   - SSL/TLS:
+     * TLSv1 and TLSv1.1 protocols are deprecated and disabled by default
+       on OpenFlow and database connections.  Use --ssl-protocols to turn
+       them back on.  Support will be fully removed in the next release.
    - Userspace datapath:
      * The default zone limit, if set, is now inherited by any zone
        that does not have a specific value defined, rather than being

lib/ssl-connect.man

@@ -1,10 +1,11 @@
 .IP "\fB\-\-ssl\-protocols=\fIprotocols\fR"
 Specifies, in a comma- or space-delimited list, the SSL protocols
 \fB\*(PN\fR will enable for SSL connections.  Supported
-\fIprotocols\fR include \fBTLSv1\fR, \fBTLSv1.1\fR, and \fBTLSv1.2\fR.
+\fIprotocols\fR include \fBTLSv1\fR (deprecated), \fBTLSv1.1\fR (deprecated),
+and \fBTLSv1.2\fR.
 Regardless of order, the highest protocol supported by both sides will
 be chosen when making the connection.  The default when this option is
-omitted is \fBTLSv1,TLSv1.1,TLSv1.2\fR.
+omitted is \fBTLSv1.2\fR or later.
 .
 .IP "\fB\-\-ssl\-ciphers=\fIciphers\fR"
 Specifies, in OpenSSL cipher string format, the ciphers \fB\*(PN\fR will 

lib/stream-ssl.c

@@ -162,7 +162,7 @@ struct ssl_config_file {
 static struct ssl_config_file private_key;
 static struct ssl_config_file certificate;
 static struct ssl_config_file ca_cert;
-static char *ssl_protocols = "TLSv1,TLSv1.1,TLSv1.2";
+static char *ssl_protocols = "TLSv1.2";
 static char *ssl_ciphers = "HIGH:!aNULL:!MD5";
 
 /* Ordinarily, the SSL client and server verify each other's certificates using
@@ -1076,7 +1076,8 @@ do_ssl_init(void)
         return ENOPROTOOPT;
     }
 
-    long options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3;
+    long options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
+                   SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
 #ifdef SSL_OP_IGNORE_UNEXPECTED_EOF
     options |= SSL_OP_IGNORE_UNEXPECTED_EOF;
 #endif
@@ -1274,6 +1275,15 @@ stream_ssl_set_protocols(const char *arg)
                             SSL_OP_NO_TLSv1_2)
 #endif
     long protocol_flags = SSL_OP_NO_SSL_MASK;
+    struct {
+        const char *name;
+        long no_flag;
+        bool deprecated;
+    } protocols[] = {
+        {"TLSv1",   SSL_OP_NO_TLSv1,   true },
+        {"TLSv1.1", SSL_OP_NO_TLSv1_1, true },
+        {"TLSv1.2", SSL_OP_NO_TLSv1_2, false},
+    };
 
     char *s = xstrdup(arg);
     char *save_ptr = NULL;
@@ -1283,20 +1293,26 @@ stream_ssl_set_protocols(const char *arg)
         goto exit;
     }
     while (word != NULL) {
-        long on_flag;
-        if (!strcasecmp(word, "TLSv1.2")){
-            on_flag = SSL_OP_NO_TLSv1_2;
-        } else if (!strcasecmp(word, "TLSv1.1")){
-            on_flag = SSL_OP_NO_TLSv1_1;
-        } else if (!strcasecmp(word, "TLSv1")){
-            on_flag = SSL_OP_NO_TLSv1;
-        } else {
+        long no_flag = 0;
+
+        for (size_t i = 0; i < ARRAY_SIZE(protocols); i++) {
+            if (!strcasecmp(word, protocols[i].name)) {
+                no_flag = protocols[i].no_flag;
+                if (protocols[i].deprecated) {
+                    VLOG_WARN("%s protocol is deprecated", word);
+                }
+                break;
+            }
+        }
+
+        if (!no_flag) {
             VLOG_ERR("%s: SSL protocol not recognized", word);
             goto exit;
         }
+
         /* Reverse the no flag and mask it out in the flags
          * to turn on that protocol. */
-        protocol_flags &= ~on_flag;
+        protocol_flags &= ~no_flag;
         word = strtok_r(NULL, " ,\t", &save_ptr);
     };
 

python/ovs/stream.py

@@ -795,6 +795,8 @@ class SSLStream(Stream):
         ctx.verify_mode = ssl.CERT_REQUIRED
         ctx.options |= ssl.OP_NO_SSLv2
         ctx.options |= ssl.OP_NO_SSLv3
+        ctx.options |= ssl.OP_NO_TLSv1
+        ctx.options |= ssl.OP_NO_TLSv1_1
         # If the client has not set the SSL configuration files
         # exception would be raised.
         ctx.load_verify_locations(Stream._SSL_ca_cert_file)

tests/ovsdb-server.at

@@ -911,6 +911,7 @@ AT_CHECK_UNQUOTED(
   [ovsdb-client: failed to connect to "ssl:127.0.0.1:$SSL_PORT"
 ], 
   [ignore])
+AT_CHECK([grep -q 'TLSv1 protocol is deprecated' output])
 # Check that when ciphers are not compatible, that a negotiation
 # failure occurs.
 AT_CHECK(
@@ -934,6 +935,7 @@ AT_CHECK_UNQUOTED(
   [ovsdb-client: failed to connect to "ssl:127.0.0.1:$SSL_PORT"
 ], 
   [ignore])
+AT_CHECK([grep -q 'TLSv1.1 protocol is deprecated' output])
 # The error message for being unable to negotiate a shared ciphersuite
 # is 'sslv3 alert handshake failure'. This is not the clearest message.
 # In openssl 3.2.0 all the error messages were updated to replace 'sslv3'