Skip to content

Commit

Permalink
treewide: Update OVS submodule to modernize SSL/TLS support.
Browse files Browse the repository at this point in the history
This brings a whole pack of changes from OVS:

  * Dropped support for OpenSSL 1.1.0 and older.

    OpenSSL 1.1.0 reached EoL 5 years ago on 11 Sep 2019.  Vast
    majority of distributions moved to newer versions long time ago.

    OpenSSL 1.1.1 introduced a lot of new APIs and deprecated a lot of
    old ones.  It also introduced support for TLSv1.3 with a pack of
    APIs specific to that version.

    Requiring OpenSSL 1.1.1 or newer allowed OVS to introduce support
    for TLSv1.3 without a ton of conditional compiling as well as
    using more secure and easier adjustable default cipher list.

    Python community did an exceptional investigation on benefits of
    dropping support for OpenSSL 1.1.0 when they did the same in 2021:
      https://peps.python.org/pep-0644/

  * TLSv1 and TLSv1.1 are deprecated.  They will be removed from
    OVS 3.6, so marking as deprecated in OVN as well.

    TLSv1 and TLSv1.1 are officially deprecated by RFC 8996 since
    March of 2021:  https://datatracker.ietf.org/doc/rfc8996/

    Both protocols should not generally be used (RFC says MUST NOT)
    and are being actively removed from support by major distributions
    and libraries.

    Before this change, OVS/OVN would use TLSv1 or later, if the
    protocols are not specified in the database or command line (this
    includes TLSv1.3 that is not supported explicitly).  After the
    change, this becomes TLSv1.2 or later.

  * Added explicit support for TLSv1.3 and TLSv1.3+ ciphersuites.

  * Added support for ranges in ssl-protocols.

  * Defaults for ssl-ciphers with TLSv1.2 and earlier changed to
    'DEFAULT:@SECLEVEL=2' to get at least 112 bits of security
    strength and allow distributions to more easily control default
    set of ciphers to use by re-configuring OpenSSL.

There is one problem with setting database column ssl_ciphersuites
to be enabled for ovsdb-server in ovn-ctl script.  During upgrade,
if the old schema doesn't have this column, ovsdb-server will refuse
to start.  So, we can't turn this option on for clustered databases
by default.  We should be able to do so after next LTS release.
This should not be a big problem, since there should not be a high
demand for changing default ciphersuites (TLSv1.3 is relatively new
and all current ciphersuites are secure).  We could add an extra knob
to force enabling the option, but I'm not sure if that is necessary.
Users can ask for specific ciphsuites with a cmdline option instead
when necessary.
For standalone databases, schema upgrade is happening before starting
the ovsdb-server, so it's safe to turn the database option on.

Submodule is moved to point at OVS main, but the intention is to move
it to branch-3.5 as soon as it is available.

There are some line length warnings in ovn-ctl help strings, but those
need larger refactoring of all the surroundings if we want to get them
fit.

Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Numan Siddique <numans@ovn.org>
  • Loading branch information
igsilya authored and numansiddique committed Jan 3, 2025
1 parent 7c1102b commit dbdd8ea
Show file tree
Hide file tree
Showing 29 changed files with 325 additions and 92 deletions.
15 changes: 15 additions & 0 deletions NEWS
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,21 @@ Post v24.09.0
- ovn-nb: Changed schema of ovn-nb to make networks optional within Logical
Router Ports.
- Bump python version required for building OVN to 3.7.
- SSL/TLS:
* TLSv1 and TLSv1.1 protocols are deprecated and disabled by default
on OpenFlow and database connections. Use --ssl-protocols to turn
them back on. Support will be fully removed in the next release.
* OpenSSL 1.1.1 or newer is now required for SSL/TLS support.
* The protocol list in --ssl-protocols or corresponding database column
now supports specifying simple protocol ranges like:
- "TLSv1-TLSv1.2" to enable all protocols between TLSv1 and TLSv1.2.
- "TLSv1.2+" to enable protocol TLSv1.2 and later.
The value must be a list of protocols or exactly one protocol range.
* Added explicit support for TLSv1.3. It can now be enabled via
--ssl-protocols (TLSv1.3 was supported in earlier versions only when
this option was not set). TLS ciphersuites for TLSv1.3 and later can
be configured via --ssl-ciphersuites (--ssl-ciphers only applies to
TLSv1.2 and earlier).

OVN v24.09.0 - 13 Sep 2024
--------------------------
Expand Down
3 changes: 3 additions & 0 deletions TODO.rst
Original file line number Diff line number Diff line change
Expand Up @@ -133,3 +133,6 @@ OVN To-do List

* Remove flows with `check_pkt_larger` when userspace datapath can handle
PMTUD. (https://issues.redhat.com/browse/FDP-256)

* Remove ssl_ciphersuites workaround for clustered databases from ovn-ctl
after 26.03 release, assuming it will be an LTS release.
4 changes: 4 additions & 0 deletions controller/ovn-controller.c
Original file line number Diff line number Diff line change
Expand Up @@ -6131,6 +6131,10 @@ parse_options(int argc, char *argv[])
stream_ssl_set_ciphers(optarg);
break;

case OPT_SSL_CIPHERSUITES:
stream_ssl_set_ciphersuites(optarg);
break;

case OPT_PEER_CA_CERT:
stream_ssl_set_peer_ca_cert_file(optarg);
break;
Expand Down
4 changes: 4 additions & 0 deletions ic/ovn-ic.c
Original file line number Diff line number Diff line change
Expand Up @@ -1984,6 +1984,10 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED)
stream_ssl_set_ciphers(optarg);
break;

case OPT_SSL_CIPHERSUITES:
stream_ssl_set_ciphersuites(optarg);
break;

case 'd':
ovnsb_db = optarg;
break;
Expand Down
4 changes: 4 additions & 0 deletions northd/ovn-northd.c
Original file line number Diff line number Diff line change
Expand Up @@ -660,6 +660,10 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED,
stream_ssl_set_ciphers(optarg);
break;

case OPT_SSL_CIPHERSUITES:
stream_ssl_set_ciphersuites(optarg);
break;

case 'd':
ovnsb_db = optarg;
break;
Expand Down
5 changes: 3 additions & 2 deletions ovn-ic-nb.ovsschema
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "OVN_IC_Northbound",
"version": "1.1.0",
"cksum": "3964083684 3501",
"version": "1.2.0",
"cksum": "4176728051 3557",
"tables": {
"IC_NB_Global": {
"columns": {
Expand Down Expand Up @@ -68,6 +68,7 @@
"bootstrap_ca_cert": {"type": "boolean"},
"ssl_protocols": {"type": "string"},
"ssl_ciphers": {"type": "string"},
"ssl_ciphersuites": {"type": "string"},
"external_ids": {"type": {"key": "string",
"value": "string",
"min": 0,
Expand Down
35 changes: 30 additions & 5 deletions ovn-ic-nb.xml
Original file line number Diff line number Diff line change
Expand Up @@ -145,15 +145,40 @@
</column>

<column name="ssl_protocols">
List of SSL/TLS protocols to be enabled for SSL/TLS connections. The
default when this option is omitted is
<code>TLSv1,TLSv1.1,TLSv1.2</code>.
<p>
Range or a comma- or space-delimited list of the SSL/TLS protocols to
enable for SSL/TLS connections.
</p>
<p>
Supported protocols include <code>TLSv1</code> (deprecated),
<code>TLSv1.1</code> (deprecated), <code>TLSv1.2</code> and
<code>TLSv1.3</code>. Ranges can be provided in a form of two protocol
names separated with a dash (<code>TLSv1.1-TLSv1.2</code>), or as a
single protocol name with a plus sign (<code>TLSv1.2+</code>). The
value can be a list of protocols or exactly one range. The range is a
preferred way of specifying protocols and the configuration always
behaves as if the range between the minimum and the maximum specified
version is provided, i.e., if the value is set to
<code>TLSv1.1,TLSv1.3</code>, the <code>TLSv1.2</code> will also be
enabled as if it was a range.
Regardless of order, the highest protocol supported by both sides will
be chosen when making the connection.
</p>
<p>
The default when this option is omitted is <code>TLSv1.2+</code>.
</p>
</column>

<column name="ssl_ciphers">
List of ciphers (in OpenSSL cipher string format) to be supported
for SSL/TLS connections. The default when this option is omitted is
<code>HIGH:!aNULL:!MD5</code>.
for SSL/TLS connections with TLSv1.2 and earlier. The default when this
option is omitted is <code>DEFAULT:@SECLEVEL=2</code>.
</column>

<column name="ssl_ciphersuites">
List of ciphersuites (in OpenSSL ciphersuites string format) to be
supported for SSL/TLS connections with TLSv1.3 and later. Default value
from OpenSSL will be used when this option is omitted.
</column>

<group title="Common Columns">
Expand Down
5 changes: 3 additions & 2 deletions ovn-ic-sb.ovsschema
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "OVN_IC_Southbound",
"version": "1.2.0",
"cksum": "1381014956 7032",
"version": "1.3.0",
"cksum": "3496599919 7088",
"tables": {
"IC_SB_Global": {
"columns": {
Expand Down Expand Up @@ -139,6 +139,7 @@
"bootstrap_ca_cert": {"type": "boolean"},
"ssl_protocols": {"type": "string"},
"ssl_ciphers": {"type": "string"},
"ssl_ciphersuites": {"type": "string"},
"external_ids": {"type": {"key": "string",
"value": "string",
"min": 0,
Expand Down
35 changes: 30 additions & 5 deletions ovn-ic-sb.xml
Original file line number Diff line number Diff line change
Expand Up @@ -646,15 +646,40 @@
</column>

<column name="ssl_protocols">
List of SSL/TLS protocols to be enabled for SSL/TLS connections. The
default when this option is omitted is
<code>TLSv1,TLSv1.1,TLSv1.2</code>.
<p>
Range or a comma- or space-delimited list of the SSL/TLS protocols to
enable for SSL/TLS connections.
</p>
<p>
Supported protocols include <code>TLSv1</code> (deprecated),
<code>TLSv1.1</code> (deprecated), <code>TLSv1.2</code> and
<code>TLSv1.3</code>. Ranges can be provided in a form of two protocol
names separated with a dash (<code>TLSv1.1-TLSv1.2</code>), or as a
single protocol name with a plus sign (<code>TLSv1.2+</code>). The
value can be a list of protocols or exactly one range. The range is a
preferred way of specifying protocols and the configuration always
behaves as if the range between the minimum and the maximum specified
version is provided, i.e., if the value is set to
<code>TLSv1.1,TLSv1.3</code>, the <code>TLSv1.2</code> will also be
enabled as if it was a range.
Regardless of order, the highest protocol supported by both sides will
be chosen when making the connection.
</p>
<p>
The default when this option is omitted is <code>TLSv1.2+</code>.
</p>
</column>

<column name="ssl_ciphers">
List of ciphers (in OpenSSL cipher string format) to be supported
for SSL/TLS connections. The default when this option is omitted is
<code>HIGH:!aNULL:!MD5</code>.
for SSL/TLS connections with TLSv1.2 and earlier. The default when this
option is omitted is <code>DEFAULT:@SECLEVEL=2</code>.
</column>

<column name="ssl_ciphersuites">
List of ciphersuites (in OpenSSL ciphersuites string format) to be
supported for SSL/TLS connections with TLSv1.3 and later. Default value
from OpenSSL will be used when this option is omitted.
</column>

<group title="Common Columns">
Expand Down
5 changes: 3 additions & 2 deletions ovn-nb.ovsschema
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "OVN_Northbound",
"version": "7.8.0",
"cksum": "3497747919 38626",
"version": "7.9.0",
"cksum": "2414335430 38682",
"tables": {
"NB_Global": {
"columns": {
Expand Down Expand Up @@ -653,6 +653,7 @@
"bootstrap_ca_cert": {"type": "boolean"},
"ssl_protocols": {"type": "string"},
"ssl_ciphers": {"type": "string"},
"ssl_ciphersuites": {"type": "string"},
"external_ids": {"type": {"key": "string",
"value": "string",
"min": 0,
Expand Down
35 changes: 30 additions & 5 deletions ovn-nb.xml
Original file line number Diff line number Diff line change
Expand Up @@ -5037,15 +5037,40 @@ or
</column>

<column name="ssl_protocols">
List of SSL/TLS protocols to be enabled for SSL/TLS connections. The
default when this option is omitted is
<code>TLSv1,TLSv1.1,TLSv1.2</code>.
<p>
Range or a comma- or space-delimited list of the SSL/TLS protocols to
enable for SSL/TLS connections.
</p>
<p>
Supported protocols include <code>TLSv1</code> (deprecated),
<code>TLSv1.1</code> (deprecated), <code>TLSv1.2</code> and
<code>TLSv1.3</code>. Ranges can be provided in a form of two protocol
names separated with a dash (<code>TLSv1.1-TLSv1.2</code>), or as a
single protocol name with a plus sign (<code>TLSv1.2+</code>). The
value can be a list of protocols or exactly one range. The range is a
preferred way of specifying protocols and the configuration always
behaves as if the range between the minimum and the maximum specified
version is provided, i.e., if the value is set to
<code>TLSv1.1,TLSv1.3</code>, the <code>TLSv1.2</code> will also be
enabled as if it was a range.
Regardless of order, the highest protocol supported by both sides will
be chosen when making the connection.
</p>
<p>
The default when this option is omitted is <code>TLSv1.2+</code>.
</p>
</column>

<column name="ssl_ciphers">
List of ciphers (in OpenSSL cipher string format) to be supported
for SSL/TLS connections. The default when this option is omitted is
<code>HIGH:!aNULL:!MD5</code>.
for SSL/TLS connections with TLSv1.2 and earlier. The default when this
option is omitted is <code>DEFAULT:@SECLEVEL=2</code>.
</column>

<column name="ssl_ciphersuites">
List of ciphersuites (in OpenSSL ciphersuites string format) to be
supported for SSL/TLS connections with TLSv1.3 and later. Default value
from OpenSSL will be used when this option is omitted.
</column>

<group title="Common Columns">
Expand Down
5 changes: 3 additions & 2 deletions ovn-sb.ovsschema
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
{
"name": "OVN_Southbound",
"version": "20.38.0",
"cksum": "3113335473 33491",
"version": "20.39.0",
"cksum": "6416280 33547",
"tables": {
"SB_Global": {
"columns": {
Expand Down Expand Up @@ -350,6 +350,7 @@
"bootstrap_ca_cert": {"type": "boolean"},
"ssl_protocols": {"type": "string"},
"ssl_ciphers": {"type": "string"},
"ssl_ciphersuites": {"type": "string"},
"external_ids": {"type": {"key": "string",
"value": "string",
"min": 0,
Expand Down
35 changes: 30 additions & 5 deletions ovn-sb.xml
Original file line number Diff line number Diff line change
Expand Up @@ -4586,15 +4586,40 @@ tcp.flags = RST;
</column>

<column name="ssl_protocols">
List of SSL/TLS protocols to be enabled for SSL/TLS connections. The
default when this option is omitted is
<code>TLSv1,TLSv1.1,TLSv1.2</code>.
<p>
Range or a comma- or space-delimited list of the SSL/TLS protocols to
enable for SSL/TLS connections.
</p>
<p>
Supported protocols include <code>TLSv1</code> (deprecated),
<code>TLSv1.1</code> (deprecated), <code>TLSv1.2</code> and
<code>TLSv1.3</code>. Ranges can be provided in a form of two protocol
names separated with a dash (<code>TLSv1.1-TLSv1.2</code>), or as a
single protocol name with a plus sign (<code>TLSv1.2+</code>). The
value can be a list of protocols or exactly one range. The range is a
preferred way of specifying protocols and the configuration always
behaves as if the range between the minimum and the maximum specified
version is provided, i.e., if the value is set to
<code>TLSv1.1,TLSv1.3</code>, the <code>TLSv1.2</code> will also be
enabled as if it was a range.
Regardless of order, the highest protocol supported by both sides will
be chosen when making the connection.
</p>
<p>
The default when this option is omitted is <code>TLSv1.2+</code>.
</p>
</column>

<column name="ssl_ciphers">
List of ciphers (in OpenSSL cipher string format) to be supported
for SSL/TLS connections. The default when this option is omitted is
<code>HIGH:!aNULL:!MD5</code>.
for SSL/TLS connections with TLSv1.2 and earlier. The default when this
option is omitted is <code>DEFAULT:@SECLEVEL=2</code>.
</column>

<column name="ssl_ciphersuites">
List of ciphersuites (in OpenSSL ciphersuites string format) to be
supported for SSL/TLS connections with TLSv1.3 and later. Default value
from OpenSSL will be used when this option is omitted.
</column>

<group title="Common Columns">
Expand Down
2 changes: 1 addition & 1 deletion ovs
Submodule ovs updated 173 files
2 changes: 1 addition & 1 deletion tests/ovn-controller.at
Original file line number Diff line number Diff line change
Expand Up @@ -2833,7 +2833,7 @@ ovn_attach n1 br-phys 192.168.0.20

# Set cipher and and it should connect
OVS_APP_EXIT_AND_WAIT([ovn-controller])
start_daemon ovn-controller --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2'
start_daemon ovn-controller --ssl-ciphers='DEFAULT@SECLEVEL=2' --ssl-protocols='TLSv1.2'

OVS_WAIT_FOR_OUTPUT([ovn-appctl -t ovn-controller connection-status], [0], [connected
])
Expand Down
Loading

0 comments on commit dbdd8ea

Please sign in to comment.