TLSv1 and TLSv1.1 are officially deprecated by RFC 8996 since March
of 2021: https://datatracker.ietf.org/doc/rfc8996/
Both protocols should not generally be used (RFC says MUST NOT) and
are being actively removed from support by major distributions and
libraries. They were deprecated and disabled by default in OVS 3.5
with the following commit:
923a80d1d163 ("stream-ssl: Deprecate and disable TLSv1 and TLSv1.1.")
It's time to fully remove the support for these protocols.
Some infrastructure and parts of the documentation look a little
awkward since we're only supporting 2 versions of TLS now, so I tried
to re-word the text a little. But I kept the code intact so we can
easily add new versions when they appear or deprecate TLSv1.2 when
the time comes, even though it may not be soon.
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Kevin Traynor <ktraynor@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
TLSv1.3 is currently only supported implicitly, if the --ssl-protocols
are not provided. Or with the recent range support like "TLSv1.2+".
However, it is not possible to explicitly ask for TLSv1.3 or set a
custom list of ciphersuites for it. Fix that by adding TLSv1.3 to the
list of available protocols and adding a new --ssl-ciphersuites option.
The new option is necessary, because --ssl-ciphers translates into
SSL_CTX_set_cipher_list() that configures ciphers for TLSv1.2 and
earlier. SSL_CTX_set_ciphersuites() sets ciphersuites for TLSv1.3
and later.
Tests updated to exercise new options and to reduce the use of
deprecated TLSv1 and TLSv1.1.
TLSv1.3 support was introduced in OpenSSL 1.1.1.
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
The NO options are deprecated since OpenSSL 1.1.0:
* SSL_OP_NO_SSLv3
* SSL_OP_NO_TLSv1
* SSL_OP_NO_TLSv1_1
* SSL_OP_NO_TLSv1_2
SSL_CTX_set_min/max_proto_version API should be used instead.
Change the "ssl-protocols" configuration option to parse values and
enable ranges with this new API instead. This means that we'll start
enabling protocols that may not be enabled by the user, e.g.
--ssl-protocols="TLSv1,TLSv1.2" will now enable TLSv1.1 as well.
But it's probably not a big deal, and there will be no way to turn off
one protocol in the middle in the future anyway, since the OpenSSL
API required to do so is deprecated. And such configurations are
very unlikely to be used in practice. At least, that was one of the
reasons for OpenSSL to change the API in the first place.
While at it, allow users to configure simple ranges, instead of lists.
For example, OVS will now allow values like "TLSv1-TLSv1.2" to enable
all versions between TLSv1 and TLSv1.2, or "TLSv1.1+" to allow TLSv1.1
or any later version. The option still accepts a list of protocols or
exactly one range.
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
SSL protocol family is not actually being used or supported in OVS.
What we use is actually TLS.
Terms "SSL" and "TLS" are often used interchangeably in modern
software and refer to the same thing, which is normally just TLS.
Let's replace "SSL" with "SSL/TLS" in documentation and user-visible
messages, where it makes sense. This may make it more clear what
is meant for a less experienced user that may look for TLS support
in OVS and not find much.
We're not changing any actual code, because, for example, most of
OpenSSL APIs are using just SSL, for historical reasons. And our
database is using "SSL" table. We may consider migrating to "TLS"
naming for user-visible configuration like command line arguments
and database names, but that will require extra work on making sure
upgrades can still work. In general, a slightly more clear
documentation should be enough for now, especially since term SSL
is still widely used in the industry.
"SSL/TLS" is chosen over "TLS/SSL" simply because our user-visible
configuration knobs are using "SSL" naming, e.g. '--ssl-cyphers'
or 'ovs-vsctl set-ssl'. So, it might be less confusing this way.
We may switch that, if we decide on re-working the user-visible
commands towards "TLS" naming, or providing both alternatives.
Some other projects did similar changes. For example, the python ssl
library is now using "TLS/SSL" in the documentation whenever possible.
Same goes for OpenSSL itself.
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Memory Sanitizer reports use of uninitialized stream/pstream pointers
while recording results of open/listen:
WARNING: MemorySanitizer: use-of-uninitialized-value
0 0x7c48cf in pstream_open lib/stream.c:567:5
1 0x7c71ed in pstream_open_with_default_port lib/stream.c:772:13
2 0x6c7731 in jsonrpc_pstream_open lib/jsonrpc.c:80:12
3 0x509345 in ovsdb_jsonrpc_server_add_remote ovsdb/jsonrpc-server.c:374:13
4 0x508eed in ovsdb_jsonrpc_server_set_remotes ovsdb/jsonrpc-server.c:355:22
5 0x4dca59 in reconfigure_remotes ovsdb/ovsdb-server.c:1778:5
6 0x4c9d42 in reconfigure_ovsdb_server ovsdb/ovsdb-server.c:686:19
7 0x4c432a in main ovsdb/ovsdb-server.c:788:10
8 0x7fb979 in __libc_start_call_main
9 0x7fb979 in __libc_start_main@GLIBC_2.2.5
10 0x432b64 in _start (ovsdb/ovsdb-server+0x432b64)
It complains just about the function call even if the value inside the
function is not being used. Can be fixed by initializing the stream
pointer to NULL. However, there is a possibility of it being used when
we also fail to record the result. We should be using the provided
name in the error log instead of trying to access the name through the
potentially uninitialized or NULL pointer.
While at it, also fixing the log message to be more accurate.
Fixes: fae1ae0434cd ("stream: Add record/replay functionality.")
Acked-by: Dumitru Ceara <dceara@redhat.com>
Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Clustered OVSDB allows to use DNS names as addresses of raft members.
However, if DNS resolution fails during the initial database read,
this causes a fatal failure and exit of the ovsdb-server process.
Also, if DNS name of a joining server is not resolvable for one of the
followers, this follower will reject append requests for a new server
to join until the name is successfully resolved. This makes a follower
effectively non-functional while DNS is unavailable.
To fix the problem relax the address verification. Allowing validation
to pass if only name resolution failed and the address is valid
otherwise. This will allow addresses to be added to the database, so
connections could be established later when the DNS is available.
Additionally fixing missed initialization of the dns-resolve module.
Without it, DNS requests are blocking. This causes unexpected delays
in runtime.
Fixes: 771680d96fb6 ("DNS: Add basic support for asynchronous DNS resolving")
Reported-at: https://bugzilla.redhat.com/2055097
Acked-by: Dumitru Ceara <dceara@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
For debugging purposes it is useful to be able to record all the
incoming transactions and commands and replay them locally under
debugger or with additional logging enabled. This patch introduces
ability to record all the incoming stream data and replay it via new
stream provider named 'stream-replay'. During the record phase all
the incoming stream data written to special replay_* files in the
application rundir. On replay phase instead of opening real streams
application will open replay_* files and read all the incoming data
directly from them.
If enabled for ovsdb-server, for example, this allows to record all
the connections and transactions from the big setup and replay them
locally afterwards to debug the behaviour or test performance.
To start application in recording mode there is a --record cmdline
option. --replay is to replay previously recorded streams.
Current version doesn't work well with time-based stream events like
inactivity probes or any other events generated internally. This is
a point for further improvement.
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Dumitru Ceara <dceara@redhat.com>
On some systems in case where remote is not responding, socket could
remain in SYN_SENT state for a really long time without errors waiting
for connection. This leads to situations where open_blok() hangs for
a few minutes waiting for connection to the DOWN remote.
For example, our "multiple remotes" idl tests hangs waiting for
connection to the WRONG_PORT on FreeBSD in CirrusCI environment.
This leads to test failures because Alarm signal arrives much faster
than ETIMEDOUT from the socket.
This patch allowes to specify timeout value for 'open_block' function.
If the connection takes more time, socket will be closed with
ETIMEDOUT error code. Negative value or None in python could be
used to wait infinitely.
Signed-off-by: Ilya Maximets <i.maximets@samsung.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
When 'make check' is called by the mock rpm build (which disables networking),
the test "ovn-nbctl: LBs - daemon" fails when it runs the command
"ovn-nbctl lb-add lb0 30.0.0.1a 192.168.10.10:80,192.168.10.20:80". ovn-nbctl
extracts the vip by calling the socket util function 'inet_parse_active()',
and this function blocks when libunbound function ub_resolve() is called
further down. ub_resolve() is a blocking function without timeout and all the
ovs/ovn utilities use this function.
As reported by Timothy Redaelli, the issue can also be reproduced by running
the below commands
$ sudo unshare -mn -- sh -c 'ip addr add dev lo 127.0.0.1 && \
mount --bind /dev/null /etc/resolv.conf && runuser $SUDO_USER'
$ make sandbox SANDBOXFLAGS="--ovn"
$ ovn-nbctl -vsocket_util:off lb-add lb0 30.0.0.1a \
192.168.10.10:80,192.168.10.20:80
To address this issue, this patch adds a new bool argument 'resolve_host' to
the function inet_parse_active() to resolve the host only if it is 'true'.
ovn-nbctl/ovn-northd will pass 'false' when it calls this function to parse
the load balancer values.
Reported-by: Timothy Redaelli <tredaelli@redhat.com>
Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1641672
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
This patch is a simple implementation for the proposal discussed in
https://mail.openvswitch.org/pipermail/ovs-dev/2017-August/337038.html and
https://mail.openvswitch.org/pipermail/ovs-dev/2017-October/340013.html.
It enables ovs-vswitchd and other utilities to use DNS names when specifying
OpenFlow and OVSDB remotes.
Below are some of the features and limitations of this patch:
- Resolving is asynchornous in daemon context, avoiding blocking main loop;
- Resolving is synchronous in general utility context;
- Both IPv4 and IPv6 are supported;
- The resolving API is thread-safe;
- Depends on the unbound library;
- When multiple ip addresses are returned, only the first one is used;
- /etc/nsswitch.conf isn't respected as unbound library doesn't look at it;
- For async-resolving, caller need to retry later; there is no callback.
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Until now, the default_port parameters to these functions have had
different types and different behavior. There is a reason for this, since
it makes sense to listen on a kernel-selected port but it does not make
sense to connect to a kernel-selected port, but this overlooks the
possibility that a caller might want to parse a string in the format
understood by inet_parse_active() without actually using it to connect to
a remote host. This commit makes the behavior consistent and updates all
the callers to work with the new semantics.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
FreeBSD insists that <sys/types.h> be included before <netinet/in.h> and
that <netinet/in.h> be included before <arpa/inet.h>. This adds guards to
the "sparse" headers to yield a warning if this order is violated. This
commit also adjusts the order of many #includes to suit this requirement.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
Poll-loop is the core to implement main loop. It should be available in
libopenvswitch.
Signed-off-by: Xiao Liang <shaw.leon@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
This will be a more sensible interface in an upcoming commit where many of
the callers are assembling dynamic name strings anyway.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Tested-by: Numan Siddique <nusiddiq@redhat.com>
Acked-by: Numan Siddique <nusiddiq@redhat.com>
Include --ssl-protocols and --ssl-ciphers options in run-time
help output.
Sample output with this change:
PKI configuration (required to use SSL):
-p, --private-key=FILE file with private key
-c, --certificate=FILE file with certificate for private key
-C, --ca-cert=FILE file with peer CA certificate
--bootstrap-ca-cert=FILE file with peer CA certificate to read or create
SSL options:
--ssl-protocols=PROTOS list of SSL protocols to enable
--ssl-ciphers=CIPHERS list of SSL ciphers to enable
Output formatting options:
Signed-off-by: Lance Richardson <lrichard@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Track authenticated stream peer ID. For SSL connections, the
authenticated ID is the CN (Common Name) field extracted from
the peer's SSL certificate.
Signed-off-by: Lance Richardson <lrichard@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
We've been warning about the change since 2.1, which was released a year
ago.
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
This function is really of marginal utility. This commit drops it and
makes the existing callers instead open a new pstream with the desired
dscp.
The ulterior motive here is that the set_dscp() function that actually sets
the DSCP on a socket really wants to know the address family (AF_INET vs.
AF_INET6). We could plumb that down through the stream code, and that's
one reasonable option, but I thought that simply eliminating some calls
to set_dscp() where we don't already have the address family handy was
another reasonable way to go.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Alex Wang <alexw@nicira.com>
A new function vlog_insert_module() is introduced to avoid using
list_insert() from the vlog.h header.
Signed-off-by: Thomas Graf <tgraf@noironetworks.com>
Acked-by: Ben Pfaff <blp@nicira.com>
WSAStartup() needs to be called before using winsock2 related
functions. We need this for almost all the utilities. So call
it through OVS_CONSTRUCTOR.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
On Linux, we heavily use --remote=punix:* to listen for
connections through unix domain sockets. We also use, unix:*
to connect to a daemon that is listening on unix domain sockets.
Many times, we create default unix domain sockets for listening
and many utilities connect to these sockets by default.
Windows does not have unix domain sockets. So far, we could just use
ptcp:* and tcp:* for listening and initiating connections respectively.
The drawback here is that one has to provide a specific TCP port.
For unit tests, it looks useful to let kernel choose that port.
As such, we can let that chosen kernel port be stored in the
file specified with punix:* and unix:*. For this purpose, introduce
a new [p]windows_[p]stream_class. Since it is just a wrapper around
[p]tcp_[p]stream_class, add it to stream-tcp.c.
commit cb54a8c (unixctl: Add support for Windows.) used the above concept
for only control channel connections (i.e., --unixctl for daemons and its
interaction with ovs-appctl). This commit adds the same support for
all unix domain sockets. Now that we have a separate class
[p]stream_class for hiding kernel assigned TCP port inside a file meant for
unix domain sockets in windows, make unixctl use it.
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
The WSAStartup function initiates use of the Winsock DLL by a process.
The function should be called before any winsock related functions
are called.
Since, we use stream-fd-windows through pstream_open or stream_open
add the WSAStartup() call there.
The current version of the Windows Sockets specification is version 2.2
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
Use send/recv for socket stream instead of read/write.
Use event handle for polling on socket stream.
Check windows specific return code.
Signed-off-by: Linda Sun <lsun@vmware.com>
Signed-off-by: Gurucharan Shetty <gshetty@nicira.com>
Does not add IPv6 support for in-band control.
Co-authored-by: Ben Pfaff <blp@nicira.com>
Signed-off-by: Nandan Nivgune <nandan.nivgune@calsoftinc.com>
Signed-off-by: Abhijit Bhopatkar <abhijit.bhopatkar@calsoftinc.com>
Signed-off-by: Arun Sharma <arun.sharma@calsoftinc.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
These functions don't have any ultimate users. The in-band control code
used to use them, but not anymore, so we might as well delete them all.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
This allows other libraries to use util.h that has already
defined NOT_REACHED.
Signed-off-by: Harold Lim <haroldl@vmware.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Both OpenFlow and OVSDB have new IANA-assigned port numbers. We still
default to the original values (6633 and 6632, respectively), but this
commit logs a warning. In the future, we will switch to the official
values (6653 and 6640, respectively).
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
The OVS code has always made a distinction between the unencrypted (TCP)
and SSL port numbers for the OpenFlow and OVSDB protocols. The default
port numbers for both protocols has changed, and there continues to be
no distinction between the unencrypted and SSL versions. This
commit removes the distinction in port numbers. A future patch will
recognize the change in default port number.
Signed-off-by: Justin Pettit <jpettit@nicira.com>
Acked-by: Ben Pfaff <blp@nicira.com>
Found by Clang.
Signed-off-by: Jarno Rajahalme <jrajahalme@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
The administrator can request that OVSDB bind any available TCP port, but
in that case there is no easy way to find out what port it has bound. This
commit adds that information as the "bound_port" key in the "status"
column.
Signed-off-by: Ben Pfaff <blp@nicira.com>
This is a straight search-and-replace, except that I also removed #include
<assert.h> from each file where there were no assert calls left.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Acked-by: Ethan Jackson <ethan@nicira.com>
Introduce set_dscp method to pstream.
This will be used by dynamic dscp change of listening socket.
Signed-off-by: Isaku Yamahata <yamahata@valinux.co.jp>
Signed-off-by: Ben Pfaff <blp@nicira.com>
OpenFlow headers are not as uniform as they could be, with size, alignment,
and numbering changes from one version to another and across varieties
(e.g. ordinary messages vs. "stats" messages). Until now the Open vSwitch
internal APIs haven't done a good job of abstracting those differences in
header formats. This commit changes that; from this commit forward very
little code actually needs to understand the header format or numbering.
Instead, it can just encode or decode, or pull or put, the header using
a more abstract API using the ofpraw_, ofptype_, and other APIs in the
new ofp-msgs module.
Signed-off-by: Ben Pfaff <blp@nicira.com>
Tested-by: Simon Horman <horms@verge.net.au>
Reviewed-by: Simon Horman <horms@verge.net.au>
Replaced all instances of Nicira Networks(, Inc) to Nicira, Inc.
Feature #10593
Signed-off-by: Raju Subramanian <rsubramanian@nicira.com>
Signed-off-by: Ben Pfaff <blp@nicira.com>
There isn't a lot of value in sending inactivity probes on unix
sockets. This patch changes the default to disable them.
Signed-off-by: Ethan Jackson <ethan@nicira.com>
The changes allow the user to specify a separate dscp value for the
controller connection and the manager connection. The value will take
effect on resetting the connections. If no value is specified a default
value of 192 is chosen for each of the connections.
Feature #10074
Requested-by: Rajiv Ramanathan <rramanathan@nicira.com>
Signed-off-by: Mehak Mahajan <mmahajan@nicira.com>
The intention is that, as each OpenFlow 1.1 and 1.2 feature is added to Open
vSwitch, the corresponding protocol definitions will be broken up this way:
- Definitions that are the same in OF1.0 and OF1.1 will retain the "OFP"
or "ofp" prefix and move to openflow-common.h.
- Definitions that are specific to OF1.0 will be renamed with an "OFP10"
or "ofp10" prefix and stay in openflow-1.0.h.
- Definitions that are specific to OF1.1 or to OF1.1 and OF1.2 will be
renamed with an "OFP11" or "ofp11" prefix and move to openflow-1.1.h.
- Definitions that are specific to OF1.2 will be renamed with an "OFP12"
or "ofp12" prefix and move to openflow-1.2.h.
This commit starts this process with some basic OpenFlow definitions.
Reviewed-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Ben Pfaff <blp@nicira.com>
In current implementation vswitchd adds Controller in-band rules only if
there is a route in kernel routing table that might route traffic to the
Controller. But, when executing force-reload-kmod command, network
configuration (e.g. assigned IP addresses, routes) are flushed away,
hence Controller in-band rules are not added.
This commit fixes this limitation and allows vswitchd to add Controller
in-band rules even if there are no routes in the kernel routing table.
Issue: #8625
Signed-off-by: Ansis Atteka <aatteka@nicira.com>
stream_init() didn't initialize the remote_ip, remote_port, local_ip, or
local_port members of the stream, so "unix" streams that don't have any of
those would get random values instead.
Reported-by: "Voravit T." <voravit@kth.se>
Reported-by: Jari Sundell <sundell.software@gmail.com>
A negative size probably means that a system call failed. The caller could
set that to 0 but we might as well just tolerate it in
stream_report_content() by making the parameter type signed.
Coverity #10718.
Until now, the collection of coverage counters supported by a given OVS
program was not specific to that program. That means that, for example,
even though ovs-dpctl does not have anything to do with mac_learning, it
still has a coverage counter for it. This is confusing, at best.
This commit fixes the problem on some systems, in particular on ones that
use GCC and the GNU linker. It uses the feature of the GNU linker
described in its manual as:
If an orphaned section's name is representable as a C identifier then
the linker will automatically see PROVIDE two symbols: __start_SECNAME
and __end_SECNAME, where SECNAME is the name of the section. These
indicate the start address and end address of the orphaned section
respectively.
Systems that don't support these features retain the earlier behavior.
This commit also fixes the annoyance that files that include coverage
counters must be listed on COVERAGE_FILES in lib/automake.mk.
This commit also fixes the annoyance that modifying any source file that
includes a coverage counter caused all programs that link against
libopenvswitch.a to relink, even programs that the source file was not
linked into. For example, modifying ofproto/ofproto.c (which includes
coverage counters) caused tests/test-aes128 to relink, even though
test-aes128 does not link again ofproto.o.
All streams and all vconns are "active", so there's no point in noting that
requirement in comments. (A long time ago, active and passive vconns were
conflated instead of having passive vconns broken out as pvconns. But
active and passive streams have always been distinct.)
