From patchwork Thu Jan 11 08:05:56 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: aginwala aginwala <amginwal@gmail.com>
X-Patchwork-Id: 1885607
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20230601 header.b=KMecA4xa;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=140.211.166.133; helo=smtp2.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)
Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4T9lrt2kghz1yPf
	for <incoming@patchwork.ozlabs.org>; Fri, 12 Jan 2024 00:29:50 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp2.osuosl.org (Postfix) with ESMTP id 8DD94438B5;
	Thu, 11 Jan 2024 13:29:47 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 8DD94438B5
Authentication-Results: smtp2.osuosl.org;
	dkim=fail reason="signature verification failed" (2048-bit key)
 header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601
 header.b=KMecA4xa
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp2.osuosl.org ([127.0.0.1])
	by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id ZWSEZL8llxGy; Thu, 11 Jan 2024 13:29:46 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by smtp2.osuosl.org (Postfix) with ESMTPS id 533664389D;
	Thu, 11 Jan 2024 13:29:45 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 533664389D
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id 1BB55C0DD5;
	Thu, 11 Jan 2024 13:29:43 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 4F521C0037
 for <dev@openvswitch.org>; Thu, 11 Jan 2024 08:06:28 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp4.osuosl.org (Postfix) with ESMTP id 1DB8D42468
 for <dev@openvswitch.org>; Thu, 11 Jan 2024 08:06:28 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 1DB8D42468
Authentication-Results: smtp4.osuosl.org;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.a=rsa-sha256 header.s=20230601 header.b=KMecA4xa
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp4.osuosl.org ([127.0.0.1])
 by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 4HzmHRC453y7 for <dev@openvswitch.org>;
 Thu, 11 Jan 2024 08:06:27 +0000 (UTC)
Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com
 [IPv6:2607:f8b0:4864:20::52d])
 by smtp4.osuosl.org (Postfix) with ESMTPS id 71D2A42461
 for <dev@openvswitch.org>; Thu, 11 Jan 2024 08:06:27 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 71D2A42461
Received: by mail-pg1-x52d.google.com with SMTP id
 41be03b00d2f7-5cf23a3d3bdso949448a12.0
 for <dev@openvswitch.org>; Thu, 11 Jan 2024 00:06:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1704960386; x=1705565186; darn=openvswitch.org;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=aV+LaHRO1VWgjzS2XDezUx4q+XCEv26VRZsM1wcdWqU=;
 b=KMecA4xaE5PEbXcDYOvcwg4p0p6NGOaO3IA+ToJCW0DyDFIj3HUe21gXX9g27OWrqB
 Xl2FKk+FbZLr9rznIgiakIrn++P/vzqt+C2wDly3/IMXhhy68PQbMdyU8wlaI+j/bVrP
 iTvK8y9evj+TCgCo2Z0x6LQdk7G0jBJIlOEkDhIc6DgZSfHOPObkxG4wd7MGS8eEAUg8
 Uvgebcx/56Tue4yVoUS+LuImMFwTO8EKuz0/zih9tRFh8FoNTBYh6jasgkOoMP4QzCZS
 RTMqbfygkO9pBy+WzsX4z/wo7S3nI5KCrigAckzaOo6KCsGyJ39hFDhvU6oHTocruN0S
 DhxA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1704960386; x=1705565186;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=aV+LaHRO1VWgjzS2XDezUx4q+XCEv26VRZsM1wcdWqU=;
 b=AKJxQ/Y8+rI1olwpT02GDyCmHAtyCbeH2RKflkvGM6GSJM4skd4qSEdTnd+p4UFy8r
 AP2amxF/MqgzG3wQ2f8NbbM4n4A2VFwhYmRjzrax6fnewnZrjeH56+z24AwEzPj5D3B+
 mHLrD0gFdow7sGZSCyKq+q7bXsJzWvjihD1Xir4GFt8RW7WzaRAkxk156NDFQqt3RrsJ
 actcH8/KHtvVpfJX7o6YRAi4kTNVRBKFQQnfjnaxhe25Rwkoi/0oiVVspfpHn0WtNMcE
 Sor08bTcGEX6/Er+HgqZeUN7LSquZYSOznqN8qHATuoRiO0jMTvQytPU2qgo+tBujGpo
 wbBw==
X-Gm-Message-State: AOJu0YyBlGX/RoMxpcX67IdAL71zL7m+KZV/tHbn9OdAXysBwkf5Daed
 b/QKy86GDchpoZqMM0gMsApv8aeqSlM=
X-Google-Smtp-Source: 
 AGHT+IH32cL8dQ3lyuJj/96rVLMW9lNgoaJnY7DR2xSd066vaq48XUeIBUstl8CFrvlopiUVUB6XcQ==
X-Received: by 2002:a05:6a20:9148:b0:19a:35ce:377d with SMTP id
 x8-20020a056a20914800b0019a35ce377dmr803996pzc.81.1704960386496;
 Thu, 11 Jan 2024 00:06:26 -0800 (PST)
Received: from T92R2DP9Q1.corp.ebay.com ([216.113.160.105])
 by smtp.gmail.com with ESMTPSA id
 sd12-20020a17090b514c00b0028cef021d45sm753889pjb.17.2024.01.11.00.06.24
 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
 Thu, 11 Jan 2024 00:06:25 -0800 (PST)
From: amginwal@gmail.com
To: dev@openvswitch.org
Date: Thu, 11 Jan 2024 00:05:56 -0800
Message-Id: <20240111080557.54577-1-amginwal@gmail.com>
X-Mailer: git-send-email 2.39.3 (Apple Git-145)
MIME-Version: 1.0
X-Mailman-Approved-At: Thu, 11 Jan 2024 13:29:41 +0000
Cc: Aliasgar Ginwala <aginwala@ebay.com>
Subject: [ovs-dev] [PATCH ovn 1/2] fix segfault due to ssl-ciphers
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

From: Aliasgar Ginwala <aginwala@ebay.com>

To avoid invalidating existing certs setup by old version of ovs pki.
openssl supports setting ciphers but it fails with ovn as below
ovn-controller --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1'
Aborted (core dumped)

Avoid invalidating existing certs when bumping to new ovn version
SSL_connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed while connecting to control plane.

Also amend ovn ic northd and ovn ctl utilities

Signed-off-by: Aliasgar Ginwala <aginwala@ebay.com>
---
 controller/ovn-controller.c | 7 +++++++
 ic/ovn-ic.c                 | 8 ++++++++
 northd/ovn-northd.c         | 8 ++++++++
 utilities/ovn-dbctl.c       | 8 ++++++++
 4 files changed, 31 insertions(+)

diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c
index 856e5e270..4b16818a6 100644
--- a/controller/ovn-controller.c
+++ b/controller/ovn-controller.c
@@ -6166,6 +6166,13 @@ parse_options(int argc, char *argv[])
             ssl_ca_cert_file = optarg;
             break;
 
+        case OPT_SSL_PROTOCOLS:
+            stream_ssl_set_protocols(optarg);
+            break;
+
+        case OPT_SSL_CIPHERS:
+            stream_ssl_set_ciphers(optarg);
+            break;
 
         case OPT_PEER_CA_CERT:
             stream_ssl_set_peer_ca_cert_file(optarg);
diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c
index 8ceb34d7c..6f8f5734d 100644
--- a/ic/ovn-ic.c
+++ b/ic/ovn-ic.c
@@ -1846,6 +1846,14 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED)
             ssl_ca_cert_file = optarg;
             break;
 
+        case OPT_SSL_PROTOCOLS:
+            stream_ssl_set_protocols(optarg);
+            break;
+
+        case OPT_SSL_CIPHERS:
+            stream_ssl_set_ciphers(optarg);
+            break;
+
         case 'd':
             ovnsb_db = optarg;
             break;
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index f3868068d..dadc1af38 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -611,6 +611,14 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED,
             ssl_ca_cert_file = optarg;
             break;
 
+        case OPT_SSL_PROTOCOLS:
+            stream_ssl_set_protocols(optarg);
+            break;
+
+        case OPT_SSL_CIPHERS:
+            stream_ssl_set_ciphers(optarg);
+            break;
+
         case 'd':
             ovnsb_db = optarg;
             break;
diff --git a/utilities/ovn-dbctl.c b/utilities/ovn-dbctl.c
index 2e9348c47..92be27b2c 100644
--- a/utilities/ovn-dbctl.c
+++ b/utilities/ovn-dbctl.c
@@ -610,6 +610,14 @@ apply_options_direct(const struct ovn_dbctl_options *dbctl_options,
             ssl_ca_cert_file = optarg;
             break;
 
+        case OPT_SSL_PROTOCOLS:
+            stream_ssl_set_protocols(optarg);
+            break;
+
+        case OPT_SSL_CIPHERS:
+            stream_ssl_set_ciphers(optarg);
+            break;
+
         case OPT_BOOTSTRAP_CA_CERT:
             stream_ssl_set_ca_cert_file(po->arg, true);
             break;