treewide: Update OVS submodule to modernize SSL/TLS support.

This brings a whole pack of changes from OVS: * Dropped support for OpenSSL 1.1.0 and older. OpenSSL 1.1.0 reached EoL 5 years ago on 11 Sep 2019. Vast majority of distributions moved to newer versions long time ago. OpenSSL 1.1.1 introduced a lot of new APIs and deprecated a lot of old ones. It also introduced support for TLSv1.3 with a pack of APIs specific to that version. Requiring OpenSSL 1.1.1 or newer allowed OVS to introduce support for TLSv1.3 without a ton of conditional compiling as well as using more secure and easier adjustable default cipher list. Python community did an exceptional investigation on benefits of dropping support for OpenSSL 1.1.0 when they did the same in 2021: https://peps.python.org/pep-0644/ * TLSv1 and TLSv1.1 are deprecated. They will be removed from OVS 3.6, so marking as deprecated in OVN as well. TLSv1 and TLSv1.1 are officially deprecated by RFC 8996 since March of 2021: https://datatracker.ietf.org/doc/rfc8996/ Both protocols should not generally be used (RFC says MUST NOT) and are being actively removed from support by major distributions and libraries. Before this change, OVS/OVN would use TLSv1 or later, if the protocols are not specified in the database or command line (this includes TLSv1.3 that is not supported explicitly). After the change, this becomes TLSv1.2 or later. * Added explicit support for TLSv1.3 and TLSv1.3+ ciphersuites. * Added support for ranges in ssl-protocols. * Defaults for ssl-ciphers with TLSv1.2 and earlier changed to 'DEFAULT:@SECLEVEL=2' to get at least 112 bits of security strength and allow distributions to more easily control default set of ciphers to use by re-configuring OpenSSL. There is one problem with setting database column ssl_ciphersuites to be enabled for ovsdb-server in ovn-ctl script. During upgrade, if the old schema doesn't have this column, ovsdb-server will refuse to start. So, we can't turn this option on for clustered databases by default. We should be able to do so after next LTS release. This should not be a big problem, since there should not be a high demand for changing default ciphersuites (TLSv1.3 is relatively new and all current ciphersuites are secure). We could add an extra knob to force enabling the option, but I'm not sure if that is necessary. Users can ask for specific ciphsuites with a cmdline option instead when necessary. For standalone databases, schema upgrade is happening before starting the ovsdb-server, so it's safe to turn the database option on. Submodule is moved to point at OVS main, but the intention is to move it to branch-3.5 as soon as it is available. There are some line length warnings in ovn-ctl help strings, but those need larger refactoring of all the surroundings if we want to get them fit. Signed-off-by: Ilya Maximets <[email protected]> Acked-by: Mark Michelson <[email protected]> Signed-off-by: Numan Siddique <[email protected]>
ovn-org · Jan 3, 2025 · dbdd8ea · dbdd8ea
1 parent 7c1102b
commit dbdd8ea
Show file tree

Hide file tree

Showing 29 changed files with 325 additions and 92 deletions.
diff --git a/NEWS b/NEWS
@@ -13,6 +13,21 @@ Post v24.09.0
    - ovn-nb: Changed schema of ovn-nb to make networks optional within Logical
      Router Ports.
    - Bump python version required for building OVN to 3.7.
+   - SSL/TLS:
+     * TLSv1 and TLSv1.1 protocols are deprecated and disabled by default
+       on OpenFlow and database connections.  Use --ssl-protocols to turn
+       them back on.  Support will be fully removed in the next release.
+     * OpenSSL 1.1.1 or newer is now required for SSL/TLS support.
+     * The protocol list in --ssl-protocols or corresponding database column
+       now supports specifying simple protocol ranges like:
+         - "TLSv1-TLSv1.2" to enable all protocols between TLSv1 and TLSv1.2.
+         - "TLSv1.2+" to enable protocol TLSv1.2 and later.
+       The value must be a list of protocols or exactly one protocol range.
+     * Added explicit support for TLSv1.3.  It can now be enabled via
+       --ssl-protocols (TLSv1.3 was supported in earlier versions only when
+       this option was not set).  TLS ciphersuites for TLSv1.3 and later can
+       be configured via --ssl-ciphersuites (--ssl-ciphers only applies to
+       TLSv1.2 and earlier).
 
 OVN v24.09.0 - 13 Sep 2024
 --------------------------

diff --git a/TODO.rst b/TODO.rst
@@ -133,3 +133,6 @@ OVN To-do List
 
 * Remove flows with `check_pkt_larger` when userspace datapath can handle
   PMTUD. (https://issues.redhat.com/browse/FDP-256)
+
+* Remove ssl_ciphersuites workaround for clustered databases from ovn-ctl
+  after 26.03 release, assuming it will be an LTS release.
diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c
@@ -6131,6 +6131,10 @@ parse_options(int argc, char *argv[])
             stream_ssl_set_ciphers(optarg);
             break;
 
+        case OPT_SSL_CIPHERSUITES:
+            stream_ssl_set_ciphersuites(optarg);
+            break;
+
         case OPT_PEER_CA_CERT:
             stream_ssl_set_peer_ca_cert_file(optarg);
             break;

diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c
@@ -1984,6 +1984,10 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED)
             stream_ssl_set_ciphers(optarg);
             break;
 
+        case OPT_SSL_CIPHERSUITES:
+            stream_ssl_set_ciphersuites(optarg);
+            break;
+
         case 'd':
             ovnsb_db = optarg;
             break;

diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
@@ -660,6 +660,10 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED,
             stream_ssl_set_ciphers(optarg);
             break;
 
+        case OPT_SSL_CIPHERSUITES:
+            stream_ssl_set_ciphersuites(optarg);
+            break;
+
         case 'd':
             ovnsb_db = optarg;
             break;

diff --git a/ovn-ic-nb.ovsschema b/ovn-ic-nb.ovsschema
@@ -1,7 +1,7 @@
 {
     "name": "OVN_IC_Northbound",
-    "version": "1.1.0",
-    "cksum": "3964083684 3501",
+    "version": "1.2.0",
+    "cksum": "4176728051 3557",
     "tables": {
         "IC_NB_Global": {
             "columns": {
@@ -68,6 +68,7 @@
                 "bootstrap_ca_cert": {"type": "boolean"},
                 "ssl_protocols": {"type": "string"},
                 "ssl_ciphers": {"type": "string"},
+                "ssl_ciphersuites": {"type": "string"},
                 "external_ids": {"type": {"key": "string",
                                           "value": "string",
                                           "min": 0,

diff --git a/ovn-ic-nb.xml b/ovn-ic-nb.xml
@@ -145,15 +145,40 @@
     </column>
 
     <column name="ssl_protocols">
-      List of SSL/TLS protocols to be enabled for SSL/TLS connections. The
-      default when this option is omitted is
-      <code>TLSv1,TLSv1.1,TLSv1.2</code>.
+      <p>
+        Range or a comma- or space-delimited list of the SSL/TLS protocols to
+        enable for SSL/TLS connections.
+      </p>
+      <p>
+        Supported protocols include <code>TLSv1</code> (deprecated),
+        <code>TLSv1.1</code> (deprecated), <code>TLSv1.2</code> and
+        <code>TLSv1.3</code>.  Ranges can be provided in a form of two protocol
+        names separated with a dash (<code>TLSv1.1-TLSv1.2</code>), or as a
+        single protocol name with a plus sign (<code>TLSv1.2+</code>).  The
+        value can be a list of protocols or exactly one range.  The range is a
+        preferred way of specifying protocols and the configuration always
+        behaves as if the range between the minimum and the maximum specified
+        version is provided, i.e., if the value is set to
+        <code>TLSv1.1,TLSv1.3</code>, the <code>TLSv1.2</code> will also be
+        enabled as if it was a range.
+        Regardless of order, the highest protocol supported by both sides will
+        be chosen when making the connection.
+      </p>
+      <p>
+        The default when this option is omitted is <code>TLSv1.2+</code>.
+      </p>
     </column>
 
     <column name="ssl_ciphers">
       List of ciphers (in OpenSSL cipher string format) to be supported
-      for SSL/TLS connections. The default when this option is omitted is
-      <code>HIGH:!aNULL:!MD5</code>.
+      for SSL/TLS connections with TLSv1.2 and earlier.  The default when this
+      option is omitted is <code>DEFAULT:@SECLEVEL=2</code>.
+    </column>
+
+    <column name="ssl_ciphersuites">
+      List of ciphersuites (in OpenSSL ciphersuites string format) to be
+      supported for SSL/TLS connections with TLSv1.3 and later.  Default value
+      from OpenSSL will be used when this option is omitted.
     </column>
 
     <group title="Common Columns">

diff --git a/ovn-ic-sb.ovsschema b/ovn-ic-sb.ovsschema
@@ -1,7 +1,7 @@
 {
     "name": "OVN_IC_Southbound",
-    "version": "1.2.0",
-    "cksum": "1381014956 7032",
+    "version": "1.3.0",
+    "cksum": "3496599919 7088",
     "tables": {
         "IC_SB_Global": {
             "columns": {
@@ -139,6 +139,7 @@
                 "bootstrap_ca_cert": {"type": "boolean"},
                 "ssl_protocols": {"type": "string"},
                 "ssl_ciphers": {"type": "string"},
+                "ssl_ciphersuites": {"type": "string"},
                 "external_ids": {"type": {"key": "string",
                                           "value": "string",
                                           "min": 0,

diff --git a/ovn-ic-sb.xml b/ovn-ic-sb.xml
@@ -646,15 +646,40 @@
     </column>
 
     <column name="ssl_protocols">
-      List of SSL/TLS protocols to be enabled for SSL/TLS connections. The
-      default when this option is omitted is
-      <code>TLSv1,TLSv1.1,TLSv1.2</code>.
+      <p>
+        Range or a comma- or space-delimited list of the SSL/TLS protocols to
+        enable for SSL/TLS connections.
+      </p>
+      <p>
+        Supported protocols include <code>TLSv1</code> (deprecated),
+        <code>TLSv1.1</code> (deprecated), <code>TLSv1.2</code> and
+        <code>TLSv1.3</code>.  Ranges can be provided in a form of two protocol
+        names separated with a dash (<code>TLSv1.1-TLSv1.2</code>), or as a
+        single protocol name with a plus sign (<code>TLSv1.2+</code>).  The
+        value can be a list of protocols or exactly one range.  The range is a
+        preferred way of specifying protocols and the configuration always
+        behaves as if the range between the minimum and the maximum specified
+        version is provided, i.e., if the value is set to
+        <code>TLSv1.1,TLSv1.3</code>, the <code>TLSv1.2</code> will also be
+        enabled as if it was a range.
+        Regardless of order, the highest protocol supported by both sides will
+        be chosen when making the connection.
+      </p>
+      <p>
+        The default when this option is omitted is <code>TLSv1.2+</code>.
+      </p>
     </column>
 
     <column name="ssl_ciphers">
       List of ciphers (in OpenSSL cipher string format) to be supported
-      for SSL/TLS connections. The default when this option is omitted is
-      <code>HIGH:!aNULL:!MD5</code>.
+      for SSL/TLS connections with TLSv1.2 and earlier.  The default when this
+      option is omitted is <code>DEFAULT:@SECLEVEL=2</code>.
+    </column>
+
+    <column name="ssl_ciphersuites">
+      List of ciphersuites (in OpenSSL ciphersuites string format) to be
+      supported for SSL/TLS connections with TLSv1.3 and later.  Default value
+      from OpenSSL will be used when this option is omitted.
     </column>
 
     <group title="Common Columns">

diff --git a/ovn-nb.ovsschema b/ovn-nb.ovsschema
@@ -1,7 +1,7 @@
 {
     "name": "OVN_Northbound",
-    "version": "7.8.0",
-    "cksum": "3497747919 38626",
+    "version": "7.9.0",
+    "cksum": "2414335430 38682",
     "tables": {
         "NB_Global": {
             "columns": {
@@ -653,6 +653,7 @@
                 "bootstrap_ca_cert": {"type": "boolean"},
                 "ssl_protocols": {"type": "string"},
                 "ssl_ciphers": {"type": "string"},
+                "ssl_ciphersuites": {"type": "string"},
                 "external_ids": {"type": {"key": "string",
                                           "value": "string",
                                           "min": 0,

diff --git a/ovn-nb.xml b/ovn-nb.xml
@@ -5037,15 +5037,40 @@ or
     </column>
 
     <column name="ssl_protocols">
-      List of SSL/TLS protocols to be enabled for SSL/TLS connections. The
-      default when this option is omitted is
-      <code>TLSv1,TLSv1.1,TLSv1.2</code>.
+      <p>
+        Range or a comma- or space-delimited list of the SSL/TLS protocols to
+        enable for SSL/TLS connections.
+      </p>
+      <p>
+        Supported protocols include <code>TLSv1</code> (deprecated),
+        <code>TLSv1.1</code> (deprecated), <code>TLSv1.2</code> and
+        <code>TLSv1.3</code>.  Ranges can be provided in a form of two protocol
+        names separated with a dash (<code>TLSv1.1-TLSv1.2</code>), or as a
+        single protocol name with a plus sign (<code>TLSv1.2+</code>).  The
+        value can be a list of protocols or exactly one range.  The range is a
+        preferred way of specifying protocols and the configuration always
+        behaves as if the range between the minimum and the maximum specified
+        version is provided, i.e., if the value is set to
+        <code>TLSv1.1,TLSv1.3</code>, the <code>TLSv1.2</code> will also be
+        enabled as if it was a range.
+        Regardless of order, the highest protocol supported by both sides will
+        be chosen when making the connection.
+      </p>
+      <p>
+        The default when this option is omitted is <code>TLSv1.2+</code>.
+      </p>
     </column>
 
     <column name="ssl_ciphers">
       List of ciphers (in OpenSSL cipher string format) to be supported
-      for SSL/TLS connections. The default when this option is omitted is
-      <code>HIGH:!aNULL:!MD5</code>.
+      for SSL/TLS connections with TLSv1.2 and earlier.  The default when this
+      option is omitted is <code>DEFAULT:@SECLEVEL=2</code>.
+    </column>
+
+    <column name="ssl_ciphersuites">
+      List of ciphersuites (in OpenSSL ciphersuites string format) to be
+      supported for SSL/TLS connections with TLSv1.3 and later.  Default value
+      from OpenSSL will be used when this option is omitted.
     </column>
 
     <group title="Common Columns">

diff --git a/ovn-sb.ovsschema b/ovn-sb.ovsschema
@@ -1,7 +1,7 @@
 {
     "name": "OVN_Southbound",
-    "version": "20.38.0",
-    "cksum": "3113335473 33491",
+    "version": "20.39.0",
+    "cksum": "6416280 33547",
     "tables": {
         "SB_Global": {
             "columns": {
@@ -350,6 +350,7 @@
                 "bootstrap_ca_cert": {"type": "boolean"},
                 "ssl_protocols": {"type": "string"},
                 "ssl_ciphers": {"type": "string"},
+                "ssl_ciphersuites": {"type": "string"},
                 "external_ids": {"type": {"key": "string",
                                           "value": "string",
                                           "min": 0,

diff --git a/ovn-sb.xml b/ovn-sb.xml
@@ -4586,15 +4586,40 @@ tcp.flags = RST;
     </column>
 
     <column name="ssl_protocols">
-      List of SSL/TLS protocols to be enabled for SSL/TLS connections. The
-      default when this option is omitted is
-      <code>TLSv1,TLSv1.1,TLSv1.2</code>.
+      <p>
+        Range or a comma- or space-delimited list of the SSL/TLS protocols to
+        enable for SSL/TLS connections.
+      </p>
+      <p>
+        Supported protocols include <code>TLSv1</code> (deprecated),
+        <code>TLSv1.1</code> (deprecated), <code>TLSv1.2</code> and
+        <code>TLSv1.3</code>.  Ranges can be provided in a form of two protocol
+        names separated with a dash (<code>TLSv1.1-TLSv1.2</code>), or as a
+        single protocol name with a plus sign (<code>TLSv1.2+</code>).  The
+        value can be a list of protocols or exactly one range.  The range is a
+        preferred way of specifying protocols and the configuration always
+        behaves as if the range between the minimum and the maximum specified
+        version is provided, i.e., if the value is set to
+        <code>TLSv1.1,TLSv1.3</code>, the <code>TLSv1.2</code> will also be
+        enabled as if it was a range.
+        Regardless of order, the highest protocol supported by both sides will
+        be chosen when making the connection.
+      </p>
+      <p>
+        The default when this option is omitted is <code>TLSv1.2+</code>.
+      </p>
     </column>
 
     <column name="ssl_ciphers">
       List of ciphers (in OpenSSL cipher string format) to be supported
-      for SSL/TLS connections. The default when this option is omitted is
-      <code>HIGH:!aNULL:!MD5</code>.
+      for SSL/TLS connections with TLSv1.2 and earlier.  The default when this
+      option is omitted is <code>DEFAULT:@SECLEVEL=2</code>.
+    </column>
+
+    <column name="ssl_ciphersuites">
+      List of ciphersuites (in OpenSSL ciphersuites string format) to be
+      supported for SSL/TLS connections with TLSv1.3 and later.  Default value
+      from OpenSSL will be used when this option is omitted.
     </column>
 
     <group title="Common Columns">

diff --git a/ovs b/ovs
diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at
@@ -2833,7 +2833,7 @@ ovn_attach n1 br-phys 192.168.0.20
 
 # Set cipher and and it should connect
 OVS_APP_EXIT_AND_WAIT([ovn-controller])
-start_daemon ovn-controller --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2'
+start_daemon ovn-controller --ssl-ciphers='DEFAULT@SECLEVEL=2' --ssl-protocols='TLSv1.2'
 
 OVS_WAIT_FOR_OUTPUT([ovn-appctl -t ovn-controller connection-status], [0], [connected
 ])