Message ID | 20180806223944.4630-1-blp@ovn.org |
---|---|
State | Accepted |
Headers | show |
Series | [ovs-dev,v2] stream-ssl: Define SSL_OP_NO_SSL_MASK for OpenSSL versions that lack it. | expand |
On Mon, Aug 6, 2018 at 12:39 PM, Ben Pfaff <blp@ovn.org> wrote: > > 10 of the travis builds are failing such as > TESTSUITE=1 KERNEL=3.16.54 for gcc and clang. > > Fixes: ab16d2c2871b ("stream-ssl: Don't enable new TLS versions by default") > CC: Timothy Redaelli <tredaelli@redhat.com> > Signed-off-by: Darrell Ball <dlu998@gmail.com> > Signed-off-by: Ben Pfaff <blp@ovn.org> > --- > v1->v2: Add SSL_OP_NO_SSLv2 (thanks Han!). > > lib/stream-ssl.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c > index f3d623c035f8..fed71801b823 100644 > --- a/lib/stream-ssl.c > +++ b/lib/stream-ssl.c > @@ -1188,6 +1188,12 @@ stream_ssl_set_protocols(const char *arg) > } > > /* Start with all the flags off and turn them on as requested. */ > +#ifndef SSL_OP_NO_SSL_MASK > + /* For old OpenSSL without this macro, this is the correct value. */ > +#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | \ > + SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | \ > + SSL_OP_NO_TLSv1_2) > +#endif > long protocol_flags = SSL_OP_NO_SSL_MASK; > > char *s = xstrdup(arg); > -- > 2.16.1 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev Acked-by: Han Zhou <hzhou8@ebay.com>
On Mon, Aug 06, 2018 at 12:47:39PM -1000, Han Zhou wrote: > On Mon, Aug 6, 2018 at 12:39 PM, Ben Pfaff <blp@ovn.org> wrote: > > > > 10 of the travis builds are failing such as > > TESTSUITE=1 KERNEL=3.16.54 for gcc and clang. > > > > Fixes: ab16d2c2871b ("stream-ssl: Don't enable new TLS versions by > default") > > CC: Timothy Redaelli <tredaelli@redhat.com> > > Signed-off-by: Darrell Ball <dlu998@gmail.com> > > Signed-off-by: Ben Pfaff <blp@ovn.org> > > --- > > v1->v2: Add SSL_OP_NO_SSLv2 (thanks Han!). > > > > lib/stream-ssl.c | 6 ++++++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c > > index f3d623c035f8..fed71801b823 100644 > > --- a/lib/stream-ssl.c > > +++ b/lib/stream-ssl.c > > @@ -1188,6 +1188,12 @@ stream_ssl_set_protocols(const char *arg) > > } > > > > /* Start with all the flags off and turn them on as requested. */ > > +#ifndef SSL_OP_NO_SSL_MASK > > + /* For old OpenSSL without this macro, this is the correct value. */ > > +#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | \ > > + SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | \ > > + SSL_OP_NO_TLSv1_2) > > +#endif > > long protocol_flags = SSL_OP_NO_SSL_MASK; > > > > char *s = xstrdup(arg); > > -- > > 2.16.1 > > > > _______________________________________________ > > dev mailing list > > dev@openvswitch.org > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > Acked-by: Han Zhou <hzhou8@ebay.com> Thanks. Darrell, does this make sense to you?
On Mon, Aug 6, 2018 at 3:53 PM, Ben Pfaff <blp@ovn.org> wrote: > On Mon, Aug 06, 2018 at 12:47:39PM -1000, Han Zhou wrote: > > On Mon, Aug 6, 2018 at 12:39 PM, Ben Pfaff <blp@ovn.org> wrote: > > > > > > 10 of the travis builds are failing such as > > > TESTSUITE=1 KERNEL=3.16.54 for gcc and clang. > > > > > > Fixes: ab16d2c2871b ("stream-ssl: Don't enable new TLS versions by > > default") > > > CC: Timothy Redaelli <tredaelli@redhat.com> > > > Signed-off-by: Darrell Ball <dlu998@gmail.com> > > > Signed-off-by: Ben Pfaff <blp@ovn.org> > > > --- > > > v1->v2: Add SSL_OP_NO_SSLv2 (thanks Han!). > > > > > > lib/stream-ssl.c | 6 ++++++ > > > 1 file changed, 6 insertions(+) > > > > > > diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c > > > index f3d623c035f8..fed71801b823 100644 > > > --- a/lib/stream-ssl.c > > > +++ b/lib/stream-ssl.c > > > @@ -1188,6 +1188,12 @@ stream_ssl_set_protocols(const char *arg) > > > } > > > > > > /* Start with all the flags off and turn them on as requested. */ > > > +#ifndef SSL_OP_NO_SSL_MASK > > > + /* For old OpenSSL without this macro, this is the correct > value. */ > > > +#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | \ > > > + SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | \ > > > + SSL_OP_NO_TLSv1_2) > > > +#endif > > > long protocol_flags = SSL_OP_NO_SSL_MASK; > > > > > > char *s = xstrdup(arg); > > > -- > > > 2.16.1 > > > > > > _______________________________________________ > > > dev mailing list > > > dev@openvswitch.org > > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > > > Acked-by: Han Zhou <hzhou8@ebay.com> > > Thanks. > > Darrell, does this make sense to you? > It looks fine and works locally; assuming you checked Travis (which I expect should be fixed) Acked-by: Darrell Ball <dlu998@gmail.com>
On Mon, Aug 06, 2018 at 04:07:03PM -0700, Darrell Ball wrote: > On Mon, Aug 6, 2018 at 3:53 PM, Ben Pfaff <blp@ovn.org> wrote: > > > On Mon, Aug 06, 2018 at 12:47:39PM -1000, Han Zhou wrote: > > > On Mon, Aug 6, 2018 at 12:39 PM, Ben Pfaff <blp@ovn.org> wrote: > > > > > > > > 10 of the travis builds are failing such as > > > > TESTSUITE=1 KERNEL=3.16.54 for gcc and clang. > > > > > > > > Fixes: ab16d2c2871b ("stream-ssl: Don't enable new TLS versions by > > > default") > > > > CC: Timothy Redaelli <tredaelli@redhat.com> > > > > Signed-off-by: Darrell Ball <dlu998@gmail.com> > > > > Signed-off-by: Ben Pfaff <blp@ovn.org> > > > > --- > > > > v1->v2: Add SSL_OP_NO_SSLv2 (thanks Han!). > > > > > > > > lib/stream-ssl.c | 6 ++++++ > > > > 1 file changed, 6 insertions(+) > > > > > > > > diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c > > > > index f3d623c035f8..fed71801b823 100644 > > > > --- a/lib/stream-ssl.c > > > > +++ b/lib/stream-ssl.c > > > > @@ -1188,6 +1188,12 @@ stream_ssl_set_protocols(const char *arg) > > > > } > > > > > > > > /* Start with all the flags off and turn them on as requested. */ > > > > +#ifndef SSL_OP_NO_SSL_MASK > > > > + /* For old OpenSSL without this macro, this is the correct > > value. */ > > > > +#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | \ > > > > + SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | \ > > > > + SSL_OP_NO_TLSv1_2) > > > > +#endif > > > > long protocol_flags = SSL_OP_NO_SSL_MASK; > > > > > > > > char *s = xstrdup(arg); > > > > -- > > > > 2.16.1 > > > > > > > > _______________________________________________ > > > > dev mailing list > > > > dev@openvswitch.org > > > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > > > > > Acked-by: Han Zhou <hzhou8@ebay.com> > > > > Thanks. > > > > Darrell, does this make sense to you? > > > > > It looks fine and works locally; assuming you checked Travis (which I > expect should be fixed) > Acked-by: Darrell Ball <dlu998@gmail.com> Thanks, applied to all affected branches.
On Mon, 6 Aug 2018 15:39:44 -0700 Ben Pfaff <blp@ovn.org> wrote: > 10 of the travis builds are failing such as > TESTSUITE=1 KERNEL=3.16.54 for gcc and clang. > > Fixes: ab16d2c2871b ("stream-ssl: Don't enable new TLS versions by > default") CC: Timothy Redaelli <tredaelli@redhat.com> > Signed-off-by: Darrell Ball <dlu998@gmail.com> > Signed-off-by: Ben Pfaff <blp@ovn.org> > --- > v1->v2: Add SSL_OP_NO_SSLv2 (thanks Han!). > > lib/stream-ssl.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c > index f3d623c035f8..fed71801b823 100644 > --- a/lib/stream-ssl.c > +++ b/lib/stream-ssl.c > @@ -1188,6 +1188,12 @@ stream_ssl_set_protocols(const char *arg) > } > > /* Start with all the flags off and turn them on as requested. */ > +#ifndef SSL_OP_NO_SSL_MASK > + /* For old OpenSSL without this macro, this is the correct > value. */ +#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2 | > SSL_OP_NO_SSLv3 | \ > + SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | \ > + SSL_OP_NO_TLSv1_2) > +#endif > long protocol_flags = SSL_OP_NO_SSL_MASK; > > char *s = xstrdup(arg); I'm sorry for this, I tested my patch with OpenSSL 1.0.2k (RHEL7) and OpenSSL 1.1.0h (Fedora 28). I checked right now and some distributions (for example Ubuntu 14.04) uses 1.0.1, that doesn't have SSL_OP_NO_SSL_MASK (introduced in 1.0.2, 6 years ago [1]). Reviewed-by: Timothy Redaelli <tredaelli@redhat.com> [1] https://github.com/openssl/openssl/commit/49ef33fa3463d6b6001009024c9aed09f814cb7c#diff-4b59eddb1c722b1dc3d17b5f64149e12R620
diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index f3d623c035f8..fed71801b823 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -1188,6 +1188,12 @@ stream_ssl_set_protocols(const char *arg) } /* Start with all the flags off and turn them on as requested. */ +#ifndef SSL_OP_NO_SSL_MASK + /* For old OpenSSL without this macro, this is the correct value. */ +#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | \ + SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | \ + SSL_OP_NO_TLSv1_2) +#endif long protocol_flags = SSL_OP_NO_SSL_MASK; char *s = xstrdup(arg);