mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-22 09:58:01 +00:00
Code Issues Releases Wiki Activity
ovs/lib/stream-nossl.c
Ilya Maximets 4d09d6b48e stream-ssl: Add explicit support for configuring TLSv1.3. 
TLSv1.3 is currently only supported implicitly, if the --ssl-protocols
are not provided.  Or with the recent range support like "TLSv1.2+".
However, it is not possible to explicitly ask for TLSv1.3 or set a
custom list of ciphersuites for it.  Fix that by adding TLSv1.3 to the
list of available protocols and adding a new --ssl-ciphersuites option.

The new option is necessary, because --ssl-ciphers translates into
SSL_CTX_set_cipher_list() that configures ciphers for TLSv1.2 and
earlier.  SSL_CTX_set_ciphersuites() sets ciphersuites for TLSv1.3
and later.

Tests updated to exercise new options and to reduce the use of
deprecated TLSv1 and TLSv1.1.

TLSv1.3 support was introduced in OpenSSL 1.1.1.

Acked-by: Eelco Chaudron <echaudro@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2024-12-13 13:00:27 +01:00

99 lines
2.3 KiB
C
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*
* Copyright (c) 2011, 2016 Nicira, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
#include <config.h>
#include "stream-ssl.h"
#include "openvswitch/vlog.h"
VLOG_DEFINE_THIS_MODULE(stream_nossl);
/* Dummy function definitions, used when OVS is built without OpenSSL. */
bool
stream_ssl_is_configured(void)
{
return false;
}
OVS_NO_RETURN static void
nossl_option(const char *detail)
{
VLOG_FATAL(
"%s specified but Open vSwitch was built without SSL/TLS support",
detail);
}
void
stream_ssl_set_private_key_file(const char *file_name)
{
if (file_name != NULL) {
nossl_option("Private key");
}
}
void
stream_ssl_set_certificate_file(const char *file_name)
{
if (file_name != NULL) {
nossl_option("Certificate");
}
}
void
stream_ssl_set_ca_cert_file(const char *file_name, bool bootstrap OVS_UNUSED)
{
if (file_name != NULL) {
nossl_option("CA certificate");
}
}
void
stream_ssl_set_peer_ca_cert_file(const char *file_name)
{
if (file_name != NULL) {
nossl_option("Peer CA certificate");
}
}
void
stream_ssl_set_key_and_cert(const char *private_key_file,
const char *certificate_file)
{
stream_ssl_set_private_key_file(private_key_file);
stream_ssl_set_certificate_file(certificate_file);
}
void
stream_ssl_set_protocols(const char *arg OVS_UNUSED)
{
/* Ignore this option since it seems harmless to set SSL/TLS protocols if
* SSL/TLS won't be used. */
}
void
stream_ssl_set_ciphers(const char *arg OVS_UNUSED)
{
/* Ignore this option since it seems harmless to set SSL/TLS ciphers if
* SSL/TLS won't be used. */
}
void
stream_ssl_set_ciphersuites(const char *arg OVS_UNUSED)
{
/* Ignore this option since it seems harmless to set TLS ciphersuites if
* SSL/TLS won't be used. */
}
Reference in New Issue View Git Blame Copy Permalink