diff --git a/NEWS b/NEWS index 9738babd86..72c5a63398 100644 --- a/NEWS +++ b/NEWS @@ -13,6 +13,21 @@ Post v24.09.0 - ovn-nb: Changed schema of ovn-nb to make networks optional within Logical Router Ports. - Bump python version required for building OVN to 3.7. + - SSL/TLS: + * TLSv1 and TLSv1.1 protocols are deprecated and disabled by default + on OpenFlow and database connections. Use --ssl-protocols to turn + them back on. Support will be fully removed in the next release. + * OpenSSL 1.1.1 or newer is now required for SSL/TLS support. + * The protocol list in --ssl-protocols or corresponding database column + now supports specifying simple protocol ranges like: + - "TLSv1-TLSv1.2" to enable all protocols between TLSv1 and TLSv1.2. + - "TLSv1.2+" to enable protocol TLSv1.2 and later. + The value must be a list of protocols or exactly one protocol range. + * Added explicit support for TLSv1.3. It can now be enabled via + --ssl-protocols (TLSv1.3 was supported in earlier versions only when + this option was not set). TLS ciphersuites for TLSv1.3 and later can + be configured via --ssl-ciphersuites (--ssl-ciphers only applies to + TLSv1.2 and earlier). OVN v24.09.0 - 13 Sep 2024 -------------------------- diff --git a/TODO.rst b/TODO.rst index ac4202f362..3426497a70 100644 --- a/TODO.rst +++ b/TODO.rst @@ -133,3 +133,6 @@ OVN To-do List * Remove flows with `check_pkt_larger` when userspace datapath can handle PMTUD. (https://issues.redhat.com/browse/FDP-256) + +* Remove ssl_ciphersuites workaround for clustered databases from ovn-ctl + after 26.03 release, assuming it will be an LTS release. diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c index b62225c276..d875ecc1e6 100644 --- a/controller/ovn-controller.c +++ b/controller/ovn-controller.c @@ -6131,6 +6131,10 @@ parse_options(int argc, char *argv[]) stream_ssl_set_ciphers(optarg); break; + case OPT_SSL_CIPHERSUITES: + stream_ssl_set_ciphersuites(optarg); + break; + case OPT_PEER_CA_CERT: stream_ssl_set_peer_ca_cert_file(optarg); break; diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c index 46994e82ae..8320cbea52 100644 --- a/ic/ovn-ic.c +++ b/ic/ovn-ic.c @@ -1984,6 +1984,10 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED) stream_ssl_set_ciphers(optarg); break; + case OPT_SSL_CIPHERSUITES: + stream_ssl_set_ciphersuites(optarg); + break; + case 'd': ovnsb_db = optarg; break; diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index d36aba28b7..aa4c576636 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -660,6 +660,10 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED, stream_ssl_set_ciphers(optarg); break; + case OPT_SSL_CIPHERSUITES: + stream_ssl_set_ciphersuites(optarg); + break; + case 'd': ovnsb_db = optarg; break; diff --git a/ovn-ic-nb.ovsschema b/ovn-ic-nb.ovsschema index bee1743571..8145b0335b 100644 --- a/ovn-ic-nb.ovsschema +++ b/ovn-ic-nb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_IC_Northbound", - "version": "1.1.0", - "cksum": "3964083684 3501", + "version": "1.2.0", + "cksum": "4176728051 3557", "tables": { "IC_NB_Global": { "columns": { @@ -68,6 +68,7 @@ "bootstrap_ca_cert": {"type": "boolean"}, "ssl_protocols": {"type": "string"}, "ssl_ciphers": {"type": "string"}, + "ssl_ciphersuites": {"type": "string"}, "external_ids": {"type": {"key": "string", "value": "string", "min": 0, diff --git a/ovn-ic-nb.xml b/ovn-ic-nb.xml index a849413744..80138400d7 100644 --- a/ovn-ic-nb.xml +++ b/ovn-ic-nb.xml @@ -145,15 +145,40 @@ - List of SSL/TLS protocols to be enabled for SSL/TLS connections. The - default when this option is omitted is - TLSv1,TLSv1.1,TLSv1.2. +

+ Range or a comma- or space-delimited list of the SSL/TLS protocols to + enable for SSL/TLS connections. +

+

+ Supported protocols include TLSv1 (deprecated), + TLSv1.1 (deprecated), TLSv1.2 and + TLSv1.3. Ranges can be provided in a form of two protocol + names separated with a dash (TLSv1.1-TLSv1.2), or as a + single protocol name with a plus sign (TLSv1.2+). The + value can be a list of protocols or exactly one range. The range is a + preferred way of specifying protocols and the configuration always + behaves as if the range between the minimum and the maximum specified + version is provided, i.e., if the value is set to + TLSv1.1,TLSv1.3, the TLSv1.2 will also be + enabled as if it was a range. + Regardless of order, the highest protocol supported by both sides will + be chosen when making the connection. +

+

+ The default when this option is omitted is TLSv1.2+. +

List of ciphers (in OpenSSL cipher string format) to be supported - for SSL/TLS connections. The default when this option is omitted is - HIGH:!aNULL:!MD5. + for SSL/TLS connections with TLSv1.2 and earlier. The default when this + option is omitted is DEFAULT:@SECLEVEL=2. + + + + List of ciphersuites (in OpenSSL ciphersuites string format) to be + supported for SSL/TLS connections with TLSv1.3 and later. Default value + from OpenSSL will be used when this option is omitted. diff --git a/ovn-ic-sb.ovsschema b/ovn-ic-sb.ovsschema index 5baf141cf5..097d6f3703 100644 --- a/ovn-ic-sb.ovsschema +++ b/ovn-ic-sb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_IC_Southbound", - "version": "1.2.0", - "cksum": "1381014956 7032", + "version": "1.3.0", + "cksum": "3496599919 7088", "tables": { "IC_SB_Global": { "columns": { @@ -139,6 +139,7 @@ "bootstrap_ca_cert": {"type": "boolean"}, "ssl_protocols": {"type": "string"}, "ssl_ciphers": {"type": "string"}, + "ssl_ciphersuites": {"type": "string"}, "external_ids": {"type": {"key": "string", "value": "string", "min": 0, diff --git a/ovn-ic-sb.xml b/ovn-ic-sb.xml index 326c990314..46c77a814b 100644 --- a/ovn-ic-sb.xml +++ b/ovn-ic-sb.xml @@ -646,15 +646,40 @@ - List of SSL/TLS protocols to be enabled for SSL/TLS connections. The - default when this option is omitted is - TLSv1,TLSv1.1,TLSv1.2. +

+ Range or a comma- or space-delimited list of the SSL/TLS protocols to + enable for SSL/TLS connections. +

+

+ Supported protocols include TLSv1 (deprecated), + TLSv1.1 (deprecated), TLSv1.2 and + TLSv1.3. Ranges can be provided in a form of two protocol + names separated with a dash (TLSv1.1-TLSv1.2), or as a + single protocol name with a plus sign (TLSv1.2+). The + value can be a list of protocols or exactly one range. The range is a + preferred way of specifying protocols and the configuration always + behaves as if the range between the minimum and the maximum specified + version is provided, i.e., if the value is set to + TLSv1.1,TLSv1.3, the TLSv1.2 will also be + enabled as if it was a range. + Regardless of order, the highest protocol supported by both sides will + be chosen when making the connection. +

+

+ The default when this option is omitted is TLSv1.2+. +

List of ciphers (in OpenSSL cipher string format) to be supported - for SSL/TLS connections. The default when this option is omitted is - HIGH:!aNULL:!MD5. + for SSL/TLS connections with TLSv1.2 and earlier. The default when this + option is omitted is DEFAULT:@SECLEVEL=2. + + + + List of ciphersuites (in OpenSSL ciphersuites string format) to be + supported for SSL/TLS connections with TLSv1.3 and later. Default value + from OpenSSL will be used when this option is omitted. diff --git a/ovn-nb.ovsschema b/ovn-nb.ovsschema index 09361920f9..e7aa6b2b13 100644 --- a/ovn-nb.ovsschema +++ b/ovn-nb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Northbound", - "version": "7.8.0", - "cksum": "3497747919 38626", + "version": "7.9.0", + "cksum": "2414335430 38682", "tables": { "NB_Global": { "columns": { @@ -653,6 +653,7 @@ "bootstrap_ca_cert": {"type": "boolean"}, "ssl_protocols": {"type": "string"}, "ssl_ciphers": {"type": "string"}, + "ssl_ciphersuites": {"type": "string"}, "external_ids": {"type": {"key": "string", "value": "string", "min": 0, diff --git a/ovn-nb.xml b/ovn-nb.xml index 1e0d6e3ab3..24ef12f3bc 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -5037,15 +5037,40 @@ or - List of SSL/TLS protocols to be enabled for SSL/TLS connections. The - default when this option is omitted is - TLSv1,TLSv1.1,TLSv1.2. +

+ Range or a comma- or space-delimited list of the SSL/TLS protocols to + enable for SSL/TLS connections. +

+

+ Supported protocols include TLSv1 (deprecated), + TLSv1.1 (deprecated), TLSv1.2 and + TLSv1.3. Ranges can be provided in a form of two protocol + names separated with a dash (TLSv1.1-TLSv1.2), or as a + single protocol name with a plus sign (TLSv1.2+). The + value can be a list of protocols or exactly one range. The range is a + preferred way of specifying protocols and the configuration always + behaves as if the range between the minimum and the maximum specified + version is provided, i.e., if the value is set to + TLSv1.1,TLSv1.3, the TLSv1.2 will also be + enabled as if it was a range. + Regardless of order, the highest protocol supported by both sides will + be chosen when making the connection. +

+

+ The default when this option is omitted is TLSv1.2+. +

List of ciphers (in OpenSSL cipher string format) to be supported - for SSL/TLS connections. The default when this option is omitted is - HIGH:!aNULL:!MD5. + for SSL/TLS connections with TLSv1.2 and earlier. The default when this + option is omitted is DEFAULT:@SECLEVEL=2. + + + + List of ciphersuites (in OpenSSL ciphersuites string format) to be + supported for SSL/TLS connections with TLSv1.3 and later. Default value + from OpenSSL will be used when this option is omitted. diff --git a/ovn-sb.ovsschema b/ovn-sb.ovsschema index 3056ecc389..e461a518bd 100644 --- a/ovn-sb.ovsschema +++ b/ovn-sb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Southbound", - "version": "20.38.0", - "cksum": "3113335473 33491", + "version": "20.39.0", + "cksum": "6416280 33547", "tables": { "SB_Global": { "columns": { @@ -350,6 +350,7 @@ "bootstrap_ca_cert": {"type": "boolean"}, "ssl_protocols": {"type": "string"}, "ssl_ciphers": {"type": "string"}, + "ssl_ciphersuites": {"type": "string"}, "external_ids": {"type": {"key": "string", "value": "string", "min": 0, diff --git a/ovn-sb.xml b/ovn-sb.xml index cc9d2c772b..f612eb2b7b 100644 --- a/ovn-sb.xml +++ b/ovn-sb.xml @@ -4586,15 +4586,40 @@ tcp.flags = RST; - List of SSL/TLS protocols to be enabled for SSL/TLS connections. The - default when this option is omitted is - TLSv1,TLSv1.1,TLSv1.2. +

+ Range or a comma- or space-delimited list of the SSL/TLS protocols to + enable for SSL/TLS connections. +

+

+ Supported protocols include TLSv1 (deprecated), + TLSv1.1 (deprecated), TLSv1.2 and + TLSv1.3. Ranges can be provided in a form of two protocol + names separated with a dash (TLSv1.1-TLSv1.2), or as a + single protocol name with a plus sign (TLSv1.2+). The + value can be a list of protocols or exactly one range. The range is a + preferred way of specifying protocols and the configuration always + behaves as if the range between the minimum and the maximum specified + version is provided, i.e., if the value is set to + TLSv1.1,TLSv1.3, the TLSv1.2 will also be + enabled as if it was a range. + Regardless of order, the highest protocol supported by both sides will + be chosen when making the connection. +

+

+ The default when this option is omitted is TLSv1.2+. +

List of ciphers (in OpenSSL cipher string format) to be supported - for SSL/TLS connections. The default when this option is omitted is - HIGH:!aNULL:!MD5. + for SSL/TLS connections with TLSv1.2 and earlier. The default when this + option is omitted is DEFAULT:@SECLEVEL=2. + + + + List of ciphersuites (in OpenSSL ciphersuites string format) to be + supported for SSL/TLS connections with TLSv1.3 and later. Default value + from OpenSSL will be used when this option is omitted. diff --git a/ovs b/ovs index a15ce086d4..7b1ce8e2a0 160000 --- a/ovs +++ b/ovs @@ -1 +1 @@ -Subproject commit a15ce086d41f9dfe6c1589333413b8e777401ef0 +Subproject commit 7b1ce8e2a08454839c52b8cc02fdde5c78e7c40e diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at index c9ed879def..2bf8b53d07 100644 --- a/tests/ovn-controller.at +++ b/tests/ovn-controller.at @@ -2833,7 +2833,7 @@ ovn_attach n1 br-phys 192.168.0.20 # Set cipher and and it should connect OVS_APP_EXIT_AND_WAIT([ovn-controller]) -start_daemon ovn-controller --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' +start_daemon ovn-controller --ssl-ciphers='DEFAULT@SECLEVEL=2' --ssl-protocols='TLSv1.2' OVS_WAIT_FOR_OUTPUT([ovn-appctl -t ovn-controller connection-status], [0], [connected ]) diff --git a/tests/ovn.at b/tests/ovn.at index c4427460a8..de01a649f6 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -38245,7 +38245,7 @@ OVN_CLEANUP([hv1]) AT_CLEANUP ]) -AT_SETUP([read-only sb db:pssl access with ssl-ciphers and ssl-protocols]) +AT_SETUP([read-only sb db:pssl access with ssl-ciphers/uites and ssl-protocols]) AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) PKIDIR="$(cd $abs_top_builddir/tests && pwd)" AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\" @@ -38273,8 +38273,9 @@ start_daemon ovsdb-server --remote=punix:ovn-sb.sock \ --private-key="$PKIDIR/testpki-test2-privkey.pem" \ --certificate="$PKIDIR/testpki-test2-cert.pem" \ --ca-cert="$PKIDIR/testpki-cacert.pem" \ - --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ - --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + --ssl-ciphers='DEFAULT:@SECLEVEL=2' \ + --ssl-ciphersuites='TLS_CHACHA20_POLY1305_SHA256' \ + --ssl-protocols='TLSv1.2-TLSv1.3' \ ovn-sb.db PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) @@ -38284,15 +38285,17 @@ AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ --private-key=$PKIDIR/testpki-test-privkey.pem \ --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ - --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ - --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + --ssl-ciphers='DEFAULT:@SECLEVEL=2' \ + --ssl-ciphersuites='TLS_CHACHA20_POLY1305_SHA256' \ + --ssl-protocols='TLSv1.2-TLSv1.3' \ list SB_Global], [0], [stdout], [ignore]) AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ --private-key=$PKIDIR/testpki-test-privkey.pem \ --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ - --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ - --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + --ssl-ciphers='DEFAULT:@SECLEVEL=2' \ + --ssl-ciphersuites='TLS_CHACHA20_POLY1305_SHA256' \ + --ssl-protocols='TLSv1.2-TLSv1.3' \ list Connection], [0], [stdout], [ignore]) # write access should fail @@ -38300,8 +38303,9 @@ AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ --private-key=$PKIDIR/testpki-test-privkey.pem \ --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ - --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ - --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + --ssl-ciphers='DEFAULT:@SECLEVEL=2' \ + --ssl-ciphersuites='TLS_CHACHA20_POLY1305_SHA256' \ + --ssl-protocols='TLSv1.2-TLSv1.3' \ chassis-add ch vxlan 1.2.4.8 2>&1 | grep 'transaction error'], [0], [dnl ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"} ], [ignore]) @@ -38309,7 +38313,7 @@ ovn-sbctl: transaction error: {"details":"insert operation not allowed when data OVS_APP_EXIT_AND_WAIT([ovsdb-server]) AT_CLEANUP -AT_SETUP([nb connection/ssl commands with ssl-ciphers and ssl-protocols]) +AT_SETUP([nb connection/ssl commands with ssl-ciphers/uites and ssl-protocols]) AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) PKIDIR="$(cd $abs_top_builddir/tests && pwd)" AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\" @@ -38324,15 +38328,20 @@ start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \ --private-key=db:OVN_Northbound,SSL,private_key \ --certificate=db:OVN_Northbound,SSL,certificate \ --ca-cert=db:OVN_Northbound,SSL,ca_cert \ - --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ - --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + --ssl-protocols=db:OVN_Northbound,SSL,ssl_protocols \ + --ssl-ciphers=db:OVN_Northbound,SSL,ssl_ciphers \ + --ssl-ciphersuites=db:OVN_Northbound,SSL,ssl_ciphersuites \ ovn-nb.db # Populate SSL/TLS configuration entries in nb db AT_CHECK( [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ $PKIDIR/testpki-test-cert.pem \ - $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) + $PKIDIR/testpki-cacert.pem \ + 'TLSv1.2-TLSv1.3' \ + 'DEFAULT:@SECLEVEL=2' \ + 'TLS_CHACHA20_POLY1305_SHA256'], + [0], [stdout], [ignore]) # Populate a passive SSL/TLS connection in nb db AT_CHECK([ovn-nbctl set-connection pssl:0:127.0.0.1], [0], [stdout], [ignore]) @@ -38344,31 +38353,34 @@ AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ --private-key=$PKIDIR/testpki-test-privkey.pem \ --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ - --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ - --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + --ssl-ciphers='DEFAULT:@SECLEVEL=2' \ + --ssl-ciphersuites='TLS_CHACHA20_POLY1305_SHA256' \ + --ssl-protocols='TLSv1.2-TLSv1.3' \ list NB_Global], [0], [stdout], [ignore]) AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ --private-key=$PKIDIR/testpki-test-privkey.pem \ --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ - --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ - --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + --ssl-ciphers='DEFAULT:@SECLEVEL=2' \ + --ssl-ciphersuites='TLS_CHACHA20_POLY1305_SHA256' \ + --ssl-protocols='TLSv1.2-TLSv1.3' \ list Connection], [0], [stdout], [ignore]) AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ --private-key=$PKIDIR/testpki-test-privkey.pem \ --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ - --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ - --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + --ssl-ciphers='DEFAULT:@SECLEVEL=2' \ + --ssl-ciphersuites='TLS_CHACHA20_POLY1305_SHA256' \ + --ssl-protocols='TLSv1.2-TLSv1.3' \ get-connection], [0], [stdout], [ignore]) OVS_APP_EXIT_AND_WAIT([ovsdb-server]) AT_CLEANUP -AT_SETUP([sb connection/ssl commands with ssl-ciphers and ssl-protocols]) +AT_SETUP([sb connection/ssl commands with ssl-ciphers/uites and ssl-protocols]) AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) PKIDIR="$(cd $abs_top_builddir/tests && pwd)" AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\" @@ -38383,15 +38395,20 @@ start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \ --private-key=db:OVN_Southbound,SSL,private_key \ --certificate=db:OVN_Southbound,SSL,certificate \ --ca-cert=db:OVN_Southbound,SSL,ca_cert \ - --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ - --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + --ssl-protocols=db:OVN_Southbound,SSL,ssl_protocols \ + --ssl-ciphers=db:OVN_Southbound,SSL,ssl_ciphers \ + --ssl-ciphersuites=db:OVN_Southbound,SSL,ssl_ciphersuites \ ovn-sb.db # Populate SSL/TLS configuration entries in sb db AT_CHECK( [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ $PKIDIR/testpki-test-cert.pem \ - $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) + $PKIDIR/testpki-cacert.pem \ + 'TLSv1.2-TLSv1.3' \ + 'DEFAULT:@SECLEVEL=2' \ + 'TLS_CHACHA20_POLY1305_SHA256'], + [0], [stdout], [ignore]) # Populate a passive SSL/TLS connection in sb db AT_CHECK([ovn-sbctl set-connection pssl:0:127.0.0.1], [0], [stdout], [ignore]) @@ -38403,24 +38420,27 @@ AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ --private-key=$PKIDIR/testpki-test-privkey.pem \ --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ - --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ - --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + --ssl-ciphers='DEFAULT:@SECLEVEL=2' \ + --ssl-ciphersuites='TLS_CHACHA20_POLY1305_SHA256' \ + --ssl-protocols='TLSv1.2-TLSv1.3' \ list SB_Global], [0], [stdout], [ignore]) AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ --private-key=$PKIDIR/testpki-test-privkey.pem \ --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ - --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ - --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + --ssl-ciphers='DEFAULT:@SECLEVEL=2' \ + --ssl-ciphersuites='TLS_CHACHA20_POLY1305_SHA256' \ + --ssl-protocols='TLSv1.2-TLSv1.3' \ list Connection], [0], [stdout], [ignore]) AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ --private-key=$PKIDIR/testpki-test-privkey.pem \ --certificate=$PKIDIR/testpki-test-cert.pem \ --ca-cert=$PKIDIR/testpki-cacert.pem \ - --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ - --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + --ssl-ciphers='DEFAULT:@SECLEVEL=2' \ + --ssl-ciphersuites='TLS_CHACHA20_POLY1305_SHA256' \ + --ssl-protocols='TLSv1.2-TLSv1.3' \ get-connection], [0], [stdout], [ignore]) diff --git a/tutorial/ovn-sandbox b/tutorial/ovn-sandbox index 787adb87a7..ed334d1c31 100755 --- a/tutorial/ovn-sandbox +++ b/tutorial/ovn-sandbox @@ -550,6 +550,7 @@ ovn_start_db() { --ca-cert=db:$schema_name,SSL,ca_cert \ --ssl-protocols=db:$schema_name,SSL,ssl_protocols \ --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers \ + --ssl-ciphersuites=db:$schema_name,SSL,ssl_ciphersuites \ --unixctl=${db}$i --remote=punix:$db$i.ovsdb ${db}$i.db "$@" } diff --git a/utilities/ovn-ctl b/utilities/ovn-ctl index af2058a811..48cfc3214b 100755 --- a/utilities/ovn-ctl +++ b/utilities/ovn-ctl @@ -188,6 +188,7 @@ start_ovsdb__() { local cluster_db_upgrade local ovn_db_ssl_protocols local ovn_db_ssl_ciphers + local ovn_db_ssl_ciphersuites eval db_pid_file=\$DB_${DB}_PIDFILE eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT @@ -220,6 +221,7 @@ start_ovsdb__() { eval cluster_db_upgrade=\$DB_CLUSTER_SCHEMA_UPGRADE eval ovn_db_ssl_protocols=\$OVN_${DB}_DB_SSL_PROTOCOLS eval ovn_db_ssl_ciphers=\$OVN_${DB}_DB_SSL_CIPHERS + eval ovn_db_ssl_ciphersuites=\$OVN_${DB}_DB_SSL_CIPHERSUITES ovn_install_dir "$OVN_RUNDIR" ovn_install_dir "$ovn_logdir" @@ -336,6 +338,24 @@ $cluster_remote_port set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers fi + if ovsdb-server --help | grep -q ciphersuites; then + if test X"$ovn_db_ssl_ciphersuites" != X; then + set "$@" --ssl-ciphersuites=$ovn_db_ssl_ciphersuites + elif test $mode = cluster; then + # XXX: The following line supposed to be here: + # set "$@" --ssl-ciphersuites=db:$schema_name,SSL,ssl_ciphersuites + # However, that will break upgrades when the old schema doesn't + # have ssl_ciphersuites column, because schema upgrade in clustered + # mode is happening after the database is started. And the server + # will not start with an option pointing to a non-existent column. + # This 'elif' should be removed once there is one LTS release with + # support for ssl_ciphersuites. + : + else + set "$@" --ssl-ciphersuites=db:$schema_name,SSL,ssl_ciphersuites + fi + fi + if test X"$create_insecure_remote" = Xyes; then set "$@" --remote=ptcp:$port:$addr fi @@ -559,6 +579,9 @@ start_northd () { if test X"$OVN_NORTHD_SSL_CIPHERS" != X; then set "$@" --ssl-ciphers=$OVN_NORTHD_SSL_CIPHERS fi + if test X"$OVN_NORTHD_SSL_CIPHERSUITES" != X; then + set "$@" --ssl-ciphersuites=$OVN_NORTHD_SSL_CIPHERSUITES + fi [ "$OVN_USER" != "" ] && set "$@" --user "$OVN_USER" @@ -600,6 +623,9 @@ start_ic () { if test X"$OVN_IC_SSL_CIPHERS" != X; then set "$@" --ssl-ciphers=$OVN_IC_SSL_CIPHERS fi + if test X"$OVN_IC_SSL_CIPHERSUITES" != X; then + set "$@" --ssl-ciphersuites=$OVN_IC_SSL_CIPHERSUITES + fi [ "$OVN_USER" != "" ] && set "$@" --user "$OVN_USER" @@ -634,6 +660,9 @@ start_controller () { if test X"$OVN_CONTROLLER_SSL_CIPHERS" != X; then set "$@" --ssl-ciphers=$OVN_CONTROLLER_SSL_CIPHERS fi + if test X"$OVN_CONTROLLER_SSL_CIPHERSUITES" != X; then + set "$@" --ssl-ciphersuites=$OVN_CONTROLLER_SSL_CIPHERSUITES + fi [ "$OVN_USER" != "" ] && set "$@" --user "$OVN_USER" @@ -665,6 +694,9 @@ start_controller_vtep () { if test X"$OVN_CONTROLLER_SSL_CIPHERS" != X; then set "$@" --ssl-ciphers=$OVN_CONTROLLER_SSL_CIPHERS fi + if test X"$OVN_CONTROLLER_SSL_CIPHERSUITES" != X; then + set "$@" --ssl-ciphersuites=$OVN_CONTROLLER_SSL_CIPHERSUITES + fi if test X"$DB_SOCK" != X; then set "$@" --vtep-db=$DB_SOCK fi @@ -874,18 +906,21 @@ set_defaults () { OVN_CONTROLLER_SSL_BOOTSTRAP_CA_CERT="" OVN_CONTROLLER_SSL_PROTOCOLS="" OVN_CONTROLLER_SSL_CIPHERS="" + OVN_CONTROLLER_SSL_CIPHERSUITES="" OVN_NORTHD_SSL_KEY="" OVN_NORTHD_SSL_CERT="" OVN_NORTHD_SSL_CA_CERT="" OVN_NORTHD_SSL_PROTOCOLS="" OVN_NORTHD_SSL_CIPHERS="" + OVN_NORTHD_SSL_CIPHERSUITES="" OVN_IC_SSL_KEY="" OVN_IC_SSL_CERT="" OVN_IC_SSL_CA_CERT="" OVN_IC_SSL_PROTOCOLS="" OVN_IC_SSL_CIPHERS="" + OVN_IC_SSL_CIPHERSUITES="" DB_SB_CREATE_INSECURE_REMOTE="no" DB_NB_CREATE_INSECURE_REMOTE="no" @@ -944,24 +979,28 @@ set_defaults () { OVN_NB_DB_SSL_CA_CERT="" OVN_NB_DB_SSL_PROTOCOLS="" OVN_NB_DB_SSL_CIPHERS="" + OVN_NB_DB_SSL_CIPHERSUITES="" OVN_SB_DB_SSL_KEY="" OVN_SB_DB_SSL_CERT="" OVN_SB_DB_SSL_CA_CERT="" OVN_SB_DB_SSL_PROTOCOLS="" OVN_SB_DB_SSL_CIPHERS="" + OVN_SB_DB_SSL_CIPHERSUITES="" OVN_IC_NB_DB_SSL_KEY="" OVN_IC_NB_DB_SSL_CERT="" OVN_IC_NB_DB_SSL_CA_CERT="" OVN_IC_NB_DB_SSL_PROTOCOLS="" OVN_IC_NB_DB_SSL_CIPHERS="" + OVN_IC_NB_DB_SSL_CIPHERSUITES="" OVN_IC_SB_DB_SSL_KEY="" OVN_IC_SB_DB_SSL_CERT="" OVN_IC_SB_DB_SSL_CA_CERT="" OVN_IC_SB_DB_SSL_PROTOCOLS="" OVN_IC_SB_DB_SSL_CIPHERS="" + OVN_IC_SB_DB_SSL_CIPHERSUITES="" RELAY_MODE=no DB_SB_RELAY_REMOTE= @@ -1063,21 +1102,25 @@ Options: --ovn-controller-ssl-bootstrap-ca-cert=CERT Bootstrapped OVN Southbound SSL/TLS CA certificate file --ovn-controller-ssl-protocols=PROTOCOLS OVN Southbound SSL/TLS protocols --ovn-controller-ssl-ciphers=CIPHERS OVN Southbound SSL/TLS cipher list + --ovn-controller-ssl-ciphersuites=CIPHERSUITES OVN Southbound TLSv1.3+ ciphersuite list --ovn-nb-db-ssl-key=KEY OVN Northbound DB SSL/TLS private key file --ovn-nb-db-ssl-cert=CERT OVN Northbound DB SSL/TLS certificate file --ovn-nb-db-ssl-ca-cert=CERT OVN Northbound DB SSL/TLS CA certificate file --ovn-nb-db-ssl-protocols=PROTOCOLS OVN Northbound DB SSL/TLS protocols --ovn-nb-db-ssl-ciphers=CIPHERS OVN Northbound DB SSL/TLS cipher list + --ovn-nb-db-ssl-ciphersuites=CIPHERSUITES OVN Northbound DB TLSv1.3+ ciphersuite list --ovn-sb-db-ssl-key=KEY OVN Southbound DB SSL/TLS private key file --ovn-sb-db-ssl-cert=CERT OVN Southbound DB SSL/TLS certificate file --ovn-sb-db-ssl-ca-cert=CERT OVN Southbound DB SSL/TLS CA certificate file --ovn-sb-db-ssl-protocols=PROTOCOLS OVN Southbound DB SSL/TLS protocols --ovn-sb-db-ssl-ciphers=CIPHERS OVN Southbound DB SSL/TLS cipher list + --ovn-sb-db-ssl-ciphersiutes=CIPHERSUITES OVN Southbound DB TLSv1.3+ ciphersuite list --ovn-northd-ssl-key=KEY OVN Northd SSL/TLS private key file --ovn-northd-ssl-cert=CERT OVN Northd SSL/TLS certificate file --ovn-northd-ssl-ca-cert=CERT OVN Northd SSL/TLS CA certificate file --ovn-northd-ssl-protocols=PROTOCOLS OVN Northd SSL/TLS protocols --ovn-northd-ssl-ciphers=CIPHERS OVN Northd SSL/TLS cipher list + --ovn-northd-ssl-ciphersuites=CIPHERSUITES OVN Northd TLSv1.3+ ciphersuite list --ovn-manage-ovsdb=yes|no Whether or not the OVN NB/SB databases should be automatically started and stopped along with ovn-northd. The default is "yes". If @@ -1097,6 +1140,7 @@ Options: --ovn-ic-ssl-ca-cert=CERT OVN IC SSL/TLS CA certificate file --ovn-ic-ssl-protocols=PROTOCOLS OVN IC SSL/TLS protocols --ovn-ic-ssl-ciphers=CIPHERS OVN IC SSL/TLS cipher list + --ovn-ic-ssl-ciphersuites=CIPHERSUITES OVN IC TLSv1.3+ ciphersuite list --ovn-ic-log=STRING ovn-ic process logging params (default: $OVN_IC_LOG) --ovn-ic-logfile=STRING ovn-ic process log file (default: $OVN_IC_LOGFILE) --ovn-ic-nb-db-ssl-key=KEY OVN IC Northbound DB SSL/TLS private key file @@ -1104,11 +1148,13 @@ Options: --ovn-ic-nb-db-ssl-ca-cert=CERT OVN IC Northbound DB SSL/TLS CA certificate file --ovn-ic-nb-db-ssl-protocols=PROTOCOLS OVN IC Northbound DB SSL/TLS protocols --ovn-ic-nb-db-ssl-ciphers=CIPHERS OVN IC Northbound DB SSL/TLS cipher list + --ovn-ic-nb-db-ssl-ciphersuites=CIPHERSSUITES OVN IC Northbound DB TLSv1.3+ ciphersuite list --ovn-ic-sb-db-ssl-key=KEY OVN IC Southbound DB SSL/TLS private key file --ovn-ic-sb-db-ssl-cert=CERT OVN IC Southbound DB SSL/TLS certificate file --ovn-ic-sb-db-ssl-ca-cert=CERT OVN IC Southbound DB SSL/TLS CA certificate file --ovn-ic-sb-db-ssl-protocols=PROTOCOLS OVN IC Southbound DB SSL/TLS protocols --ovn-ic-sb-db-ssl-ciphers=CIPHERS OVN IC Southbound DB SSL/TLS cipher list + --ovn-ic-sb-db-ssl-ciphersuites=CIPHERSUITES OVN IC Southbound DB TLSv1.3+ ciphersuite list --ovn-user="user[:group]" pass the --user flag to the ovn daemons --ovsdb-nb-wrapper=WRAPPER run with a wrapper like valgrind for debugging --ovsdb-sb-wrapper=WRAPPER run with a wrapper like valgrind for debugging diff --git a/utilities/ovn-ctl.8.xml b/utilities/ovn-ctl.8.xml index e33865f3dd..99f512043e 100644 --- a/utilities/ovn-ctl.8.xml +++ b/utilities/ovn-ctl.8.xml @@ -96,7 +96,7 @@

--ovn-controller-ssl-ca-cert=CERT

--ovn-controller-ssl-bootstrap-ca-cert=CERT

-

Protocol and Cipher options

+

Protocol, Cipher and Ciphersuite options

--ovn-controller-ssl-protocols=PROTOCOLS

--ovn-ic-ssl-protocols=PROTOCOLS

--ovn-northd-ssl-protocols=PROTOCOLS

@@ -111,6 +111,13 @@

--ovn-sb-db-ssl-ciphers=CIPHERS

--ovn-ic-nb-db-ssl-ciphers=CIPHERS

--ovn-ic-sb-db-ssl-ciphers=CIPHERS

+

--ovn-controller-ssl-ciphersuites=CIPHERSUITES

+

--ovn-ic-ssl-ciphersuites=CIPHERSUITES

+

--ovn-northd-ssl-ciphersuites=CIPHERSUITES

+

--ovn-nb-db-ssl-ciphersuites=CIPHERSUITES

+

--ovn-sb-db-ssl-ciphersuites=CIPHERSUITES

+

--ovn-ic-nb-db-ssl-ciphersuites=CIPHERSUITES

+

--ovn-ic-sb-db-ssl-ciphersuites=CIPHERSUITES

Address and port options

--db-nb-sync-from-addr=IP ADDRESS

diff --git a/utilities/ovn-dbctl.c b/utilities/ovn-dbctl.c index 43913f322a..e9fa4da03d 100644 --- a/utilities/ovn-dbctl.c +++ b/utilities/ovn-dbctl.c @@ -618,6 +618,10 @@ apply_options_direct(const struct ovn_dbctl_options *dbctl_options, stream_ssl_set_ciphers(optarg); break; + case OPT_SSL_CIPHERSUITES: + stream_ssl_set_ciphersuites(optarg); + break; + case OPT_BOOTSTRAP_CA_CERT: stream_ssl_set_ca_cert_file(po->arg, true); break; diff --git a/utilities/ovn-ic-nbctl.8.xml b/utilities/ovn-ic-nbctl.8.xml index 4ae841cd54..6338632940 100644 --- a/utilities/ovn-ic-nbctl.8.xml +++ b/utilities/ovn-ic-nbctl.8.xml @@ -117,7 +117,8 @@
[--bootstrap] set-ssl private-key certificate ca-cert - [ssl-protocol-list [ssl-cipher-list]]
+ [ssl-protocol-list [ssl-cipher-list + [ssl-ciphersuites]]]
Sets the SSL/TLS configuration.
diff --git a/utilities/ovn-ic-nbctl.c b/utilities/ovn-ic-nbctl.c index 6026ca4073..5819192fe8 100644 --- a/utilities/ovn-ic-nbctl.c +++ b/utilities/ovn-ic-nbctl.c @@ -346,7 +346,7 @@ Connection commands:\n\ SSL/TLS commands:\n\ get-ssl print the SSL/TLS configuration\n\ del-ssl delete the SSL/TLS configuration\n\ - set-ssl PRIV-KEY CERT CA-CERT [SSL-PROTOS [SSL-CIPHERS]] \ + set-ssl PRIV-KEY CERT CA-CERT [SSL-PROTOS [SSL-CIPHERS [SSL-CIPHERSUITES]]] \ set the SSL/TLS configuration\n\ \n\ %s\ @@ -697,11 +697,14 @@ cmd_set_ssl(struct ctl_context *ctx) icnbrec_ssl_set_bootstrap_ca_cert(ssl, bootstrap); - if (ctx->argc == 5) { + if (ctx->argc >= 5) { icnbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]); - } else if (ctx->argc == 6) { - icnbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]); - icnbrec_ssl_set_ssl_ciphers(ssl, ctx->argv[5]); + if (ctx->argc >= 6) { + icnbrec_ssl_set_ssl_ciphers(ssl, ctx->argv[5]); + if (ctx->argc == 7) { + icnbrec_ssl_set_ssl_ciphersuites(ssl, ctx->argv[6]); + } + } } icnbrec_ic_nb_global_set_ssl(ic_nb_global, ssl); @@ -1023,8 +1026,9 @@ static const struct ctl_command_syntax ic_nbctl_commands[] = { /* SSL/TLS commands. */ {"get-ssl", 0, 0, "", pre_cmd_get_ssl, cmd_get_ssl, NULL, "", RO}, {"del-ssl", 0, 0, "", pre_cmd_del_ssl, cmd_del_ssl, NULL, "", RW}, - {"set-ssl", 3, 5, - "PRIVATE-KEY CERTIFICATE CA-CERT [SSL-PROTOS [SSL-CIPHERS]]", + {"set-ssl", 3, 6, + "PRIVATE-KEY CERTIFICATE CA-CERT" + " [SSL-PROTOS [SSL-CIPHERS [SSL-CIPHERSUITES]]]", pre_cmd_set_ssl, cmd_set_ssl, NULL, "--bootstrap", RW}, {NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, RO}, diff --git a/utilities/ovn-ic-sbctl.8.xml b/utilities/ovn-ic-sbctl.8.xml index fc2515d97b..3742b33ca7 100644 --- a/utilities/ovn-ic-sbctl.8.xml +++ b/utilities/ovn-ic-sbctl.8.xml @@ -91,7 +91,8 @@
[--bootstrap] set-ssl private-key certificate ca-cert - [ssl-protocol-list [ssl-cipher-list]]
+ [ssl-protocol-list [ssl-cipher-list + [ssl-ciphersuites]]]
Sets the SSL/TLS configuration.
diff --git a/utilities/ovn-ic-sbctl.c b/utilities/ovn-ic-sbctl.c index 0b5e0ebbf9..48d4bb9db3 100644 --- a/utilities/ovn-ic-sbctl.c +++ b/utilities/ovn-ic-sbctl.c @@ -316,7 +316,7 @@ Connection commands:\n\ SSL/TLS commands:\n\ get-ssl print the SSL/TLS configuration\n\ del-ssl delete the SSL/TLS configuration\n\ - set-ssl PRIV-KEY CERT CA-CERT [SSL-PROTOS [SSL-CIPHERS]] \ + set-ssl PRIV-KEY CERT CA-CERT [SSL-PROTOS [SSL-CIPHERS [SSL-CIPHERSUITES]]] \ set the SSL/TLS configuration\n\ \n\ %s\ @@ -726,11 +726,14 @@ cmd_set_ssl(struct ctl_context *ctx) icsbrec_ssl_set_bootstrap_ca_cert(ssl, bootstrap); - if (ctx->argc == 5) { + if (ctx->argc >= 5) { icsbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]); - } else if (ctx->argc == 6) { - icsbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]); - icsbrec_ssl_set_ssl_ciphers(ssl, ctx->argv[5]); + if (ctx->argc >= 6) { + icsbrec_ssl_set_ssl_ciphers(ssl, ctx->argv[5]); + if (ctx->argc == 7) { + icsbrec_ssl_set_ssl_ciphersuites(ssl, ctx->argv[6]); + } + } } icsbrec_ic_sb_global_set_ssl(ic_sb_global, ssl); @@ -1008,8 +1011,9 @@ static const struct ctl_command_syntax ic_sbctl_commands[] = { /* SSL/TLS commands. */ {"get-ssl", 0, 0, "", pre_cmd_get_ssl, cmd_get_ssl, NULL, "", RO}, {"del-ssl", 0, 0, "", pre_cmd_del_ssl, cmd_del_ssl, NULL, "", RW}, - {"set-ssl", 3, 5, - "PRIVATE-KEY CERTIFICATE CA-CERT [SSL-PROTOS [SSL-CIPHERS]]", + {"set-ssl", 3, 6, + "PRIVATE-KEY CERTIFICATE CA-CERT" + " [SSL-PROTOS [SSL-CIPHERS [SSL-CIPHERSUITES]]]", pre_cmd_set_ssl, cmd_set_ssl, NULL, "--bootstrap", RW}, {NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, RO}, diff --git a/utilities/ovn-nbctl.8.xml b/utilities/ovn-nbctl.8.xml index 844989152b..63cefd1191 100644 --- a/utilities/ovn-nbctl.8.xml +++ b/utilities/ovn-nbctl.8.xml @@ -1707,7 +1707,8 @@
[--bootstrap] set-ssl private-key certificate ca-cert - [ssl-protocol-list [ssl-cipher-list]]
+ [ssl-protocol-list [ssl-cipher-list + [ssl-ciphersuites]]]
Sets the SSL/TLS configuration.
diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c index fcd661b358..f5277af7ce 100644 --- a/utilities/ovn-nbctl.c +++ b/utilities/ovn-nbctl.c @@ -459,7 +459,7 @@ Connection commands:\n\ SSL/TLS commands:\n\ get-ssl print the SSL/TLS configuration\n\ del-ssl delete the SSL/TLS configuration\n\ - set-ssl PRIV-KEY CERT CA-CERT [SSL-PROTOS [SSL-CIPHERS]] \ + set-ssl PRIV-KEY CERT CA-CERT [SSL-PROTOS [SSL-CIPHERS [SSL-CIPHERSUITES]]] \ set the SSL/TLS configuration\n\ Port group commands:\n\ pg-add PG [PORTS] Create port group PG with optional PORTS\n\ @@ -7331,11 +7331,14 @@ cmd_set_ssl(struct ctl_context *ctx) nbrec_ssl_set_bootstrap_ca_cert(ssl, bootstrap); - if (ctx->argc == 5) { - nbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]); - } else if (ctx->argc == 6) { + if (ctx->argc >= 5) { nbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]); - nbrec_ssl_set_ssl_ciphers(ssl, ctx->argv[5]); + if (ctx->argc >= 6) { + nbrec_ssl_set_ssl_ciphers(ssl, ctx->argv[5]); + if (ctx->argc == 7) { + nbrec_ssl_set_ssl_ciphersuites(ssl, ctx->argv[6]); + } + } } nbrec_nb_global_set_ssl(nb_global, ssl); @@ -8169,8 +8172,9 @@ static const struct ctl_command_syntax nbctl_commands[] = { /* SSL/TLS commands. */ {"get-ssl", 0, 0, "", pre_cmd_get_ssl, cmd_get_ssl, NULL, "", RO}, {"del-ssl", 0, 0, "", pre_cmd_del_ssl, cmd_del_ssl, NULL, "", RW}, - {"set-ssl", 3, 5, - "PRIVATE-KEY CERTIFICATE CA-CERT [SSL-PROTOS [SSL-CIPHERS]]", + {"set-ssl", 3, 6, + "PRIVATE-KEY CERTIFICATE CA-CERT" + " [SSL-PROTOS [SSL-CIPHERS [SSL-CIPHERSUITES]]]", pre_cmd_set_ssl, cmd_set_ssl, NULL, "--bootstrap", RW}, /* Port Group Commands */ diff --git a/utilities/ovn-sbctl.8.xml b/utilities/ovn-sbctl.8.xml index fe32f21c44..69ae62115a 100644 --- a/utilities/ovn-sbctl.8.xml +++ b/utilities/ovn-sbctl.8.xml @@ -500,7 +500,8 @@
[--bootstrap] set-ssl private-key certificate ca-cert - [ssl-protocol-list [ssl-cipher-list]]
+ [ssl-protocol-list [ssl-cipher-list + [ssl-ciphersuites]]]
Sets the SSL/TLS configuration.
diff --git a/utilities/ovn-sbctl.c b/utilities/ovn-sbctl.c index 83995e890e..b00b8cd04d 100644 --- a/utilities/ovn-sbctl.c +++ b/utilities/ovn-sbctl.c @@ -118,7 +118,7 @@ Connection commands:\n\ SSL/TLS commands:\n\ get-ssl print the SSL/TLS configuration\n\ del-ssl delete the SSL/TLS configuration\n\ - set-ssl PRIV-KEY CERT CA-CERT [SSL-PROTOS [SSL-CIPHERS]] \ + set-ssl PRIV-KEY CERT CA-CERT [SSL-PROTOS [SSL-CIPHERS [SSL-CIPHERSUITES]]] \ set the SSL/TLS configuration\n\ \n\ %s\ @@ -1478,11 +1478,14 @@ cmd_set_ssl(struct ctl_context *ctx) sbrec_ssl_set_bootstrap_ca_cert(ssl, bootstrap); - if (ctx->argc == 5) { + if (ctx->argc >= 5) { sbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]); - } else if (ctx->argc == 6) { - sbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]); - sbrec_ssl_set_ssl_ciphers(ssl, ctx->argv[5]); + if (ctx->argc >= 6) { + sbrec_ssl_set_ssl_ciphers(ssl, ctx->argv[5]); + if (ctx->argc == 7) { + sbrec_ssl_set_ssl_ciphersuites(ssl, ctx->argv[6]); + } + } } sbrec_sb_global_set_ssl(sb_global, ssl); @@ -1590,8 +1593,9 @@ static const struct ctl_command_syntax sbctl_commands[] = { /* SSL/TLS commands. */ {"get-ssl", 0, 0, "", pre_cmd_get_ssl, cmd_get_ssl, NULL, "", RO}, {"del-ssl", 0, 0, "", pre_cmd_del_ssl, cmd_del_ssl, NULL, "", RW}, - {"set-ssl", 3, 5, - "PRIVATE-KEY CERTIFICATE CA-CERT [SSL-PROTOS [SSL-CIPHERS]]", + {"set-ssl", 3, 6, + "PRIVATE-KEY CERTIFICATE CA-CERT" + " [SSL-PROTOS [SSL-CIPHERS [SSL-CIPHERSUITES]]]", pre_cmd_set_ssl, cmd_set_ssl, NULL, "--bootstrap", RW}, {NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, RO}, diff --git a/utilities/ovn-sim.in b/utilities/ovn-sim.in index c87e075e52..96cee608cd 100755 --- a/utilities/ovn-sim.in +++ b/utilities/ovn-sim.in @@ -72,6 +72,7 @@ ovn_start_db() { --ca-cert=db:$schema_name,SSL,ca_cert \ --ssl-protocols=db:$schema_name,SSL,ssl_protocols \ --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers \ + --ssl-ciphersuites=db:$schema_name,SSL,ssl_ciphersuites \ --unixctl=${db} --remote=punix:$db.ovsdb \ "$sim_base"/$db$i/$db.db "$@" }