mir/ovs
2
0
Fork 0
mirror of https://github.com/openvswitch/ovs synced 2025-08-22 09:58:01 +00:00
Code Issues Releases Wiki Activity
ovs/lib/ssl-connect.man
Ilya Maximets 7b4d3137a1 stream-ssl: Remove support for deprecated TLSv1 and TLSv1.1. 
TLSv1 and TLSv1.1 are officially deprecated by RFC 8996 since March
of 2021:  https://datatracker.ietf.org/doc/rfc8996/

Both protocols should not generally be used (RFC says MUST NOT) and
are being actively removed from support by major distributions and
libraries.  They were deprecated and disabled by default in OVS 3.5
with the following commit:
  923a80d1d163 ("stream-ssl: Deprecate and disable TLSv1 and TLSv1.1.")

It's time to fully remove the support for these protocols.

Some infrastructure and parts of the documentation look a little
awkward since we're only supporting 2 versions of TLS now, so I tried
to re-word the text a little.  But I kept the code intact so we can
easily add new versions when they appear or deprecate TLSv1.2 when
the time comes, even though it may not be soon.

Acked-by: Eelco Chaudron <echaudro@redhat.com>
Acked-by: Kevin Traynor <ktraynor@redhat.com>
Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
2025-02-28 17:19:41 +01:00

27 lines
1.5 KiB
Groff
Raw Blame History

.IP "\fB\-\-ssl\-protocols=\fIprotocols\fR"
Specifies a range or a comma- or space-delimited list of the SSL/TLS protocols
\fB\*(PN\fR will enable for SSL/TLS connections. Supported \fIprotocols\fR
include \fBTLSv1.2\fR and \fBTLSv1.3\fR.
Ranges can be provided in a form of two protocol names separated with a dash,
or as a single protocol name with a plus sign. For example, use
\fBTLSv1.2-TLSv1.3\fR to allow \fBTLSv1.2\fR and \fBTLSv1.3\fR. Use
\fBTLSv1.2+\fR to allow \fBTLSv1.2\fR and any later protocol.
The option accepts a list of protocols or exactly one range. The
range is a preferred way of specifying protocols and the option always behaves
as if the range between the minimum and the maximum specified version is
provided, i.e., if the option is set to \fBTLSv1.X,TLSv1.(X+2)\fR, the
\fBTLSv1.(X+1)\fR will also be enabled as if it was a range.
Regardless of order, the highest protocol supported by both sides will
be chosen when making the connection. The default when this option is
omitted is \fBTLSv1.2\fR or later.
.
.IP "\fB\-\-ssl\-ciphers=\fIciphers\fR"
Specifies, in OpenSSL cipher string format, the ciphers \fB\*(PN\fR will
support for SSL/TLS connections with TLSv1.2.
The default when this option is omitted is \fBDEFAULT:@SECLEVEL=2\fR.
.
.IP "\fB\-\-ssl\-ciphersuites=\fIciphersuites\fR"
Specifies, in OpenSSL ciphersuite string format, the ciphersuites
\fB\*(PN\fR will support for SSL/TLS connections with TLSv1.3 and later.
Default value from OpenSSL will be used when this option is omitted.
Reference in New Issue View Git Blame Copy Permalink