Message ID | 20240117201258.4033-1-amginwal@gmail.com |
---|---|
State | Accepted |
Headers | show |
Series | [ovs-dev,v2] fix segfault due to ssl-ciphers | expand |
Context | Check | Description |
---|---|---|
ovsrobot/apply-robot | success | apply and check: success |
ovsrobot/github-robot-_Build_and_Test | success | github build: passed |
ovsrobot/github-robot-_ovn-kubernetes | success | github build: passed |
On Wed, Jan 17, 2024 at 9:13 PM <amginwal@gmail.com> wrote: > From: Aliasgar Ginwala <aginwala@ebay.com> > > To avoid invalidating existing certs setup by old version of ovs pki. > openssl supports setting ciphers but it fails with ovn as below > ovn-controller --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' > Aborted (core dumped) > > Avoid invalidating existing certs when bumping to new ovn version > SSL_connect: error:1416F086:SSL > routines:tls_process_server_certificate:certificate verify failed while > connecting to control plane. > > Also amend ovn ic northd and ovn ctl utilities > > Add tests for ssl ciphers > > Signed-off-by: Aliasgar Ginwala <aginwala@ebay.com> > --- > Hi Aliasgar, thank you for the v2. > controller/ovn-controller.c | 7 ++ > ic/ovn-ic.c | 8 ++ > northd/ovn-northd.c | 8 ++ > tests/ovn-controller.at | 23 +++++ > tests/ovn.at | 182 ++++++++++++++++++++++++++++++++++++ > utilities/ovn-dbctl.c | 8 ++ > 6 files changed, 236 insertions(+) > > diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c > index 856e5e270..4b16818a6 100644 > --- a/controller/ovn-controller.c > +++ b/controller/ovn-controller.c > @@ -6166,6 +6166,13 @@ parse_options(int argc, char *argv[]) > ssl_ca_cert_file = optarg; > break; > > + case OPT_SSL_PROTOCOLS: > + stream_ssl_set_protocols(optarg); > + break; > + > + case OPT_SSL_CIPHERS: > + stream_ssl_set_ciphers(optarg); > + break; > > case OPT_PEER_CA_CERT: > stream_ssl_set_peer_ca_cert_file(optarg); > diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c > index 8ceb34d7c..6f8f5734d 100644 > --- a/ic/ovn-ic.c > +++ b/ic/ovn-ic.c > @@ -1846,6 +1846,14 @@ parse_options(int argc OVS_UNUSED, char *argv[] > OVS_UNUSED) > ssl_ca_cert_file = optarg; > break; > > + case OPT_SSL_PROTOCOLS: > + stream_ssl_set_protocols(optarg); > + break; > + > + case OPT_SSL_CIPHERS: > + stream_ssl_set_ciphers(optarg); > + break; > + > case 'd': > ovnsb_db = optarg; > break; > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > index f3868068d..dadc1af38 100644 > --- a/northd/ovn-northd.c > +++ b/northd/ovn-northd.c > @@ -611,6 +611,14 @@ parse_options(int argc OVS_UNUSED, char *argv[] > OVS_UNUSED, > ssl_ca_cert_file = optarg; > break; > > + case OPT_SSL_PROTOCOLS: > + stream_ssl_set_protocols(optarg); > + break; > + > + case OPT_SSL_CIPHERS: > + stream_ssl_set_ciphers(optarg); > + break; > + > case 'd': > ovnsb_db = optarg; > break; > diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at > index 9d2a37c72..9cc8730e9 100644 > --- a/tests/ovn-controller.at > +++ b/tests/ovn-controller.at > @@ -2712,3 +2712,26 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int > table=40 | grep -q controller], [1] > OVN_CLEANUP([hv1]) > AT_CLEANUP > ]) > + > + > nit: Extra empty line, this can be addressed during merge. > +AT_SETUP([ovn-controller - ssl ciphers using command line options]) > +AT_KEYWORDS([ovn]) > +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) > +ovn_start > + > +net_add n1 > +sim_add hv1 > +ovs-vsctl add-br br-phys > +ovn_attach n1 br-phys 192.168.0.20 > + > +# Set cipher and and it should connect > +OVS_APP_EXIT_AND_WAIT([ovn-controller]) > +start_daemon ovn-controller --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' > --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' > + > +OVS_WAIT_FOR_OUTPUT([ovn-appctl -t ovn-controller connection-status], > [0], [connected > +]) > + > +cat hv1/ovn-controller.log > + > +OVN_CLEANUP([hv1]) > +AT_CLEANUP > diff --git a/tests/ovn.at b/tests/ovn.at > index c3644ac78..34f277ef9 100644 > --- a/tests/ovn.at > +++ b/tests/ovn.at > @@ -37588,3 +37588,185 @@ OVN_CLEANUP([hv1]) > > AT_CLEANUP > ]) > + > +AT_SETUP([read-only sb db:pssl access with ssl-ciphers and ssl-protocols]) > +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) > +PKIDIR="$(cd $abs_top_builddir/tests && pwd)" > +AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\" > +\\]]"]) > + > +: > .$1.db.~lock~ > +ovsdb-tool create ovn-sb.db "$abs_top_srcdir"/ovn-sb.ovsschema > + > +# Add read-only remote to sb ovsdb-server > +AT_CHECK( > + [ovsdb-tool transact ovn-sb.db \ > + ['["OVN_Southbound", > + {"op": "insert", > + "table": "SB_Global", > + "row": { > + "connections": ["set", [["named-uuid", "xyz"]]]}}, > + {"op": "insert", > + "table": "Connection", > + "uuid-name": "xyz", > + "row": {"target": "pssl:0:127.0.0.1", > + "read_only": true}}]']], [0], [ignore], [ignore]) > + > +start_daemon ovsdb-server --remote=punix:ovn-sb.sock \ > + > --remote=db:OVN_Southbound,SB_Global,connections \ > + > --private-key="$PKIDIR/testpki-test2-privkey.pem" \ > + --certificate="$PKIDIR/testpki-test2-cert.pem" \ > + --ca-cert="$PKIDIR/testpki-cacert.pem" \ > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > + ovn-sb.db > + > +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) > + > +# read-only accesses should succeed > +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > + --certificate=$PKIDIR/testpki-test-cert.pem \ > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > + list SB_Global], [0], [stdout], [ignore]) > +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > + --certificate=$PKIDIR/testpki-test-cert.pem \ > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > + list Connection], [0], [stdout], [ignore]) > + > +# write access should fail > +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > + --certificate=$PKIDIR/testpki-test-cert.pem \ > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > + chassis-add ch vxlan 1.2.4.8], [1], [ignore], > +[ovn-sbctl: transaction error: {"details":"insert operation not allowed > when database server is in read only mode","error":"not allowed"} > +]) > + > +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) > +AT_CLEANUP > + > +AT_SETUP([nb connection/ssl commands with ssl-ciphers and ssl-protocols]) > +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) > +PKIDIR="$(cd $abs_top_builddir/tests && pwd)" > +AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\" > +\\]]"]) > + > +: > .$1.db.~lock~ > +ovsdb-tool create ovn-nb.db "$abs_top_srcdir"/ovn-nb.ovsschema > + > +# Start nb db server using db connection/ssl entries (unpopulated > initially) > +start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \ > + > --remote=db:OVN_Northbound,NB_Global,connections \ > + --private-key=db:OVN_Northbound,SSL,private_key > \ > + --certificate=db:OVN_Northbound,SSL,certificate > \ > + --ca-cert=db:OVN_Northbound,SSL,ca_cert \ > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > + ovn-nb.db > + > +# Populate SSL configuration entries in nb db > +AT_CHECK( > + [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ > + $PKIDIR/testpki-test-cert.pem \ > + $PKIDIR/testpki-cacert.pem], [0], [stdout], > [ignore]) > + > +# Populate a passive SSL connection in nb db > +AT_CHECK([ovn-nbctl set-connection pssl:0:127.0.0.1], [0], [stdout], > [ignore]) > + > +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) > + > +# Verify SSL connetivity to nb db server > +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > + --certificate=$PKIDIR/testpki-test-cert.pem \ > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > + list NB_Global], > + [0], [stdout], [ignore]) > +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > + --certificate=$PKIDIR/testpki-test-cert.pem \ > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > + list Connection], > + [0], [stdout], [ignore]) > +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > + --certificate=$PKIDIR/testpki-test-cert.pem \ > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > + get-connection], > + [0], [stdout], [ignore]) > + > +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) > +AT_CLEANUP > + > +AT_SETUP([sb connection/ssl commands with ssl-ciphers and ssl-protocols]) > +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) > +PKIDIR="$(cd $abs_top_builddir/tests && pwd)" > +AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\" > +\\]]"]) > + > +: > .$1.db.~lock~ > +ovsdb-tool create ovn-sb.db "$abs_top_srcdir"/ovn-sb.ovsschema > + > +# Start sb db server using db connection/ssl entries (unpopulated > initially) > +start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \ > + > --remote=db:OVN_Southbound,SB_Global,connections \ > + --private-key=db:OVN_Southbound,SSL,private_key > \ > + --certificate=db:OVN_Southbound,SSL,certificate > \ > + --ca-cert=db:OVN_Southbound,SSL,ca_cert \ > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > + ovn-sb.db > + > +# Populate SSL configuration entries in sb db > +AT_CHECK( > + [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ > + $PKIDIR/testpki-test-cert.pem \ > + $PKIDIR/testpki-cacert.pem], [0], [stdout], > [ignore]) > + > +# Populate a passive SSL connection in sb db > +AT_CHECK([ovn-sbctl set-connection pssl:0:127.0.0.1], [0], [stdout], > [ignore]) > + > +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) > + > +# Verify SSL connetivity to sb db server > +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > + --certificate=$PKIDIR/testpki-test-cert.pem \ > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > + list SB_Global], > + [0], [stdout], [ignore]) > +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > + --certificate=$PKIDIR/testpki-test-cert.pem \ > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > + list Connection], > + [0], [stdout], [ignore]) > +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > + --certificate=$PKIDIR/testpki-test-cert.pem \ > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > + get-connection], > + [0], [stdout], [ignore]) > + > +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) > +AT_CLEANUP > diff --git a/utilities/ovn-dbctl.c b/utilities/ovn-dbctl.c > index 2e9348c47..92be27b2c 100644 > --- a/utilities/ovn-dbctl.c > +++ b/utilities/ovn-dbctl.c > @@ -610,6 +610,14 @@ apply_options_direct(const struct ovn_dbctl_options > *dbctl_options, > ssl_ca_cert_file = optarg; > break; > > + case OPT_SSL_PROTOCOLS: > + stream_ssl_set_protocols(optarg); > + break; > + > + case OPT_SSL_CIPHERS: > + stream_ssl_set_ciphers(optarg); > + break; > + > case OPT_BOOTSTRAP_CA_CERT: > stream_ssl_set_ca_cert_file(po->arg, true); > break; > -- > 2.39.3 (Apple Git-145) > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > Other than that it looks good. Acked-by: Ales Musil <amusil@redhat.com> Thanks, Ales
On Thu, Jan 18, 2024 at 1:42 AM Ales Musil <amusil@redhat.com> wrote: > > On Wed, Jan 17, 2024 at 9:13 PM <amginwal@gmail.com> wrote: > > > From: Aliasgar Ginwala <aginwala@ebay.com> > > > > To avoid invalidating existing certs setup by old version of ovs pki. > > openssl supports setting ciphers but it fails with ovn as below > > ovn-controller --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' > > Aborted (core dumped) > > > > Avoid invalidating existing certs when bumping to new ovn version > > SSL_connect: error:1416F086:SSL > > routines:tls_process_server_certificate:certificate verify failed while > > connecting to control plane. > > > > Also amend ovn ic northd and ovn ctl utilities > > > > Add tests for ssl ciphers > > > > Signed-off-by: Aliasgar Ginwala <aginwala@ebay.com> > > --- > > > > Hi Aliasgar, > > thank you for the v2. > > > > controller/ovn-controller.c | 7 ++ > > ic/ovn-ic.c | 8 ++ > > northd/ovn-northd.c | 8 ++ > > tests/ovn-controller.at | 23 +++++ > > tests/ovn.at | 182 ++++++++++++++++++++++++++++++++++++ > > utilities/ovn-dbctl.c | 8 ++ > > 6 files changed, 236 insertions(+) > > > > diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c > > index 856e5e270..4b16818a6 100644 > > --- a/controller/ovn-controller.c > > +++ b/controller/ovn-controller.c > > @@ -6166,6 +6166,13 @@ parse_options(int argc, char *argv[]) > > ssl_ca_cert_file = optarg; > > break; > > > > + case OPT_SSL_PROTOCOLS: > > + stream_ssl_set_protocols(optarg); > > + break; > > + > > + case OPT_SSL_CIPHERS: > > + stream_ssl_set_ciphers(optarg); > > + break; > > > > case OPT_PEER_CA_CERT: > > stream_ssl_set_peer_ca_cert_file(optarg); > > diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c > > index 8ceb34d7c..6f8f5734d 100644 > > --- a/ic/ovn-ic.c > > +++ b/ic/ovn-ic.c > > @@ -1846,6 +1846,14 @@ parse_options(int argc OVS_UNUSED, char *argv[] > > OVS_UNUSED) > > ssl_ca_cert_file = optarg; > > break; > > > > + case OPT_SSL_PROTOCOLS: > > + stream_ssl_set_protocols(optarg); > > + break; > > + > > + case OPT_SSL_CIPHERS: > > + stream_ssl_set_ciphers(optarg); > > + break; > > + > > case 'd': > > ovnsb_db = optarg; > > break; > > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > > index f3868068d..dadc1af38 100644 > > --- a/northd/ovn-northd.c > > +++ b/northd/ovn-northd.c > > @@ -611,6 +611,14 @@ parse_options(int argc OVS_UNUSED, char *argv[] > > OVS_UNUSED, > > ssl_ca_cert_file = optarg; > > break; > > > > + case OPT_SSL_PROTOCOLS: > > + stream_ssl_set_protocols(optarg); > > + break; > > + > > + case OPT_SSL_CIPHERS: > > + stream_ssl_set_ciphers(optarg); > > + break; > > + > > case 'd': > > ovnsb_db = optarg; > > break; > > diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at > > index 9d2a37c72..9cc8730e9 100644 > > --- a/tests/ovn-controller.at > > +++ b/tests/ovn-controller.at > > @@ -2712,3 +2712,26 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int > > table=40 | grep -q controller], [1] > > OVN_CLEANUP([hv1]) > > AT_CLEANUP > > ]) > > + > > + > > > > nit: Extra empty line, this can be addressed during merge. > > > > +AT_SETUP([ovn-controller - ssl ciphers using command line options]) > > +AT_KEYWORDS([ovn]) > > +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) > > +ovn_start > > + > > +net_add n1 > > +sim_add hv1 > > +ovs-vsctl add-br br-phys > > +ovn_attach n1 br-phys 192.168.0.20 > > + > > +# Set cipher and and it should connect > > +OVS_APP_EXIT_AND_WAIT([ovn-controller]) > > +start_daemon ovn-controller --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' > > --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' > > + > > +OVS_WAIT_FOR_OUTPUT([ovn-appctl -t ovn-controller connection-status], > > [0], [connected > > +]) > > + > > +cat hv1/ovn-controller.log > > + > > +OVN_CLEANUP([hv1]) > > +AT_CLEANUP > > diff --git a/tests/ovn.at b/tests/ovn.at > > index c3644ac78..34f277ef9 100644 > > --- a/tests/ovn.at > > +++ b/tests/ovn.at > > @@ -37588,3 +37588,185 @@ OVN_CLEANUP([hv1]) > > > > AT_CLEANUP > > ]) > > + > > +AT_SETUP([read-only sb db:pssl access with ssl-ciphers and ssl-protocols]) > > +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) > > +PKIDIR="$(cd $abs_top_builddir/tests && pwd)" > > +AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\" > > +\\]]"]) > > + > > +: > .$1.db.~lock~ > > +ovsdb-tool create ovn-sb.db "$abs_top_srcdir"/ovn-sb.ovsschema > > + > > +# Add read-only remote to sb ovsdb-server > > +AT_CHECK( > > + [ovsdb-tool transact ovn-sb.db \ > > + ['["OVN_Southbound", > > + {"op": "insert", > > + "table": "SB_Global", > > + "row": { > > + "connections": ["set", [["named-uuid", "xyz"]]]}}, > > + {"op": "insert", > > + "table": "Connection", > > + "uuid-name": "xyz", > > + "row": {"target": "pssl:0:127.0.0.1", > > + "read_only": true}}]']], [0], [ignore], [ignore]) > > + > > +start_daemon ovsdb-server --remote=punix:ovn-sb.sock \ > > + > > --remote=db:OVN_Southbound,SB_Global,connections \ > > + > > --private-key="$PKIDIR/testpki-test2-privkey.pem" \ > > + --certificate="$PKIDIR/testpki-test2-cert.pem" \ > > + --ca-cert="$PKIDIR/testpki-cacert.pem" \ > > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > > + ovn-sb.db > > + > > +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) > > + > > +# read-only accesses should succeed > > +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > > + --certificate=$PKIDIR/testpki-test-cert.pem \ > > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > > + list SB_Global], [0], [stdout], [ignore]) > > +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > > + --certificate=$PKIDIR/testpki-test-cert.pem \ > > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > > + list Connection], [0], [stdout], [ignore]) > > + > > +# write access should fail > > +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > > + --certificate=$PKIDIR/testpki-test-cert.pem \ > > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > > + chassis-add ch vxlan 1.2.4.8], [1], [ignore], > > +[ovn-sbctl: transaction error: {"details":"insert operation not allowed > > when database server is in read only mode","error":"not allowed"} > > +]) > > + > > +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) > > +AT_CLEANUP > > + > > +AT_SETUP([nb connection/ssl commands with ssl-ciphers and ssl-protocols]) > > +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) > > +PKIDIR="$(cd $abs_top_builddir/tests && pwd)" > > +AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\" > > +\\]]"]) > > + > > +: > .$1.db.~lock~ > > +ovsdb-tool create ovn-nb.db "$abs_top_srcdir"/ovn-nb.ovsschema > > + > > +# Start nb db server using db connection/ssl entries (unpopulated > > initially) > > +start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \ > > + > > --remote=db:OVN_Northbound,NB_Global,connections \ > > + --private-key=db:OVN_Northbound,SSL,private_key > > \ > > + --certificate=db:OVN_Northbound,SSL,certificate > > \ > > + --ca-cert=db:OVN_Northbound,SSL,ca_cert \ > > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > > + ovn-nb.db > > + > > +# Populate SSL configuration entries in nb db > > +AT_CHECK( > > + [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ > > + $PKIDIR/testpki-test-cert.pem \ > > + $PKIDIR/testpki-cacert.pem], [0], [stdout], > > [ignore]) > > + > > +# Populate a passive SSL connection in nb db > > +AT_CHECK([ovn-nbctl set-connection pssl:0:127.0.0.1], [0], [stdout], > > [ignore]) > > + > > +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) > > + > > +# Verify SSL connetivity to nb db server > > +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ > > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > > + --certificate=$PKIDIR/testpki-test-cert.pem \ > > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > > + list NB_Global], > > + [0], [stdout], [ignore]) > > +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ > > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > > + --certificate=$PKIDIR/testpki-test-cert.pem \ > > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > > + list Connection], > > + [0], [stdout], [ignore]) > > +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ > > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > > + --certificate=$PKIDIR/testpki-test-cert.pem \ > > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > > + get-connection], > > + [0], [stdout], [ignore]) > > + > > +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) > > +AT_CLEANUP > > + > > +AT_SETUP([sb connection/ssl commands with ssl-ciphers and ssl-protocols]) > > +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) > > +PKIDIR="$(cd $abs_top_builddir/tests && pwd)" > > +AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\" > > +\\]]"]) > > + > > +: > .$1.db.~lock~ > > +ovsdb-tool create ovn-sb.db "$abs_top_srcdir"/ovn-sb.ovsschema > > + > > +# Start sb db server using db connection/ssl entries (unpopulated > > initially) > > +start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \ > > + > > --remote=db:OVN_Southbound,SB_Global,connections \ > > + --private-key=db:OVN_Southbound,SSL,private_key > > \ > > + --certificate=db:OVN_Southbound,SSL,certificate > > \ > > + --ca-cert=db:OVN_Southbound,SSL,ca_cert \ > > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > > + ovn-sb.db > > + > > +# Populate SSL configuration entries in sb db > > +AT_CHECK( > > + [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ > > + $PKIDIR/testpki-test-cert.pem \ > > + $PKIDIR/testpki-cacert.pem], [0], [stdout], > > [ignore]) > > + > > +# Populate a passive SSL connection in sb db > > +AT_CHECK([ovn-sbctl set-connection pssl:0:127.0.0.1], [0], [stdout], > > [ignore]) > > + > > +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) > > + > > +# Verify SSL connetivity to sb db server > > +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > > + --certificate=$PKIDIR/testpki-test-cert.pem \ > > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > > + list SB_Global], > > + [0], [stdout], [ignore]) > > +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > > + --certificate=$PKIDIR/testpki-test-cert.pem \ > > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > > + list Connection], > > + [0], [stdout], [ignore]) > > +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ > > + --private-key=$PKIDIR/testpki-test-privkey.pem \ > > + --certificate=$PKIDIR/testpki-test-cert.pem \ > > + --ca-cert=$PKIDIR/testpki-cacert.pem \ > > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ > > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ > > + get-connection], > > + [0], [stdout], [ignore]) > > + > > +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) > > +AT_CLEANUP > > diff --git a/utilities/ovn-dbctl.c b/utilities/ovn-dbctl.c > > index 2e9348c47..92be27b2c 100644 > > --- a/utilities/ovn-dbctl.c > > +++ b/utilities/ovn-dbctl.c > > @@ -610,6 +610,14 @@ apply_options_direct(const struct ovn_dbctl_options > > *dbctl_options, > > ssl_ca_cert_file = optarg; > > break; > > > > + case OPT_SSL_PROTOCOLS: > > + stream_ssl_set_protocols(optarg); > > + break; > > + > > + case OPT_SSL_CIPHERS: > > + stream_ssl_set_ciphers(optarg); > > + break; > > + > > case OPT_BOOTSTRAP_CA_CERT: > > stream_ssl_set_ca_cert_file(po->arg, true); > > break; > > -- > > 2.39.3 (Apple Git-145) > > > > _______________________________________________ > > dev mailing list > > dev@openvswitch.org > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > > > > Other than that it looks good. > > Acked-by: Ales Musil <amusil@redhat.com> Thanks. I addressed the nit and applied the patch to main and branch-23.09. I've triggered CI runs for other branch backports (upto branch-22.03). Once they are run, I'll backport them. Thanks Numan > > Thanks, > Ales > > -- > > Ales Musil > > Senior Software Engineer - OVN Core > > Red Hat EMEA <https://www.redhat.com> > > amusil@redhat.com > <https://red.ht/sig> > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c index 856e5e270..4b16818a6 100644 --- a/controller/ovn-controller.c +++ b/controller/ovn-controller.c @@ -6166,6 +6166,13 @@ parse_options(int argc, char *argv[]) ssl_ca_cert_file = optarg; break; + case OPT_SSL_PROTOCOLS: + stream_ssl_set_protocols(optarg); + break; + + case OPT_SSL_CIPHERS: + stream_ssl_set_ciphers(optarg); + break; case OPT_PEER_CA_CERT: stream_ssl_set_peer_ca_cert_file(optarg); diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c index 8ceb34d7c..6f8f5734d 100644 --- a/ic/ovn-ic.c +++ b/ic/ovn-ic.c @@ -1846,6 +1846,14 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED) ssl_ca_cert_file = optarg; break; + case OPT_SSL_PROTOCOLS: + stream_ssl_set_protocols(optarg); + break; + + case OPT_SSL_CIPHERS: + stream_ssl_set_ciphers(optarg); + break; + case 'd': ovnsb_db = optarg; break; diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index f3868068d..dadc1af38 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -611,6 +611,14 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED, ssl_ca_cert_file = optarg; break; + case OPT_SSL_PROTOCOLS: + stream_ssl_set_protocols(optarg); + break; + + case OPT_SSL_CIPHERS: + stream_ssl_set_ciphers(optarg); + break; + case 'd': ovnsb_db = optarg; break; diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at index 9d2a37c72..9cc8730e9 100644 --- a/tests/ovn-controller.at +++ b/tests/ovn-controller.at @@ -2712,3 +2712,26 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=40 | grep -q controller], [1] OVN_CLEANUP([hv1]) AT_CLEANUP ]) + + +AT_SETUP([ovn-controller - ssl ciphers using command line options]) +AT_KEYWORDS([ovn]) +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) +ovn_start + +net_add n1 +sim_add hv1 +ovs-vsctl add-br br-phys +ovn_attach n1 br-phys 192.168.0.20 + +# Set cipher and and it should connect +OVS_APP_EXIT_AND_WAIT([ovn-controller]) +start_daemon ovn-controller --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' + +OVS_WAIT_FOR_OUTPUT([ovn-appctl -t ovn-controller connection-status], [0], [connected +]) + +cat hv1/ovn-controller.log + +OVN_CLEANUP([hv1]) +AT_CLEANUP diff --git a/tests/ovn.at b/tests/ovn.at index c3644ac78..34f277ef9 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -37588,3 +37588,185 @@ OVN_CLEANUP([hv1]) AT_CLEANUP ]) + +AT_SETUP([read-only sb db:pssl access with ssl-ciphers and ssl-protocols]) +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) +PKIDIR="$(cd $abs_top_builddir/tests && pwd)" +AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\" +\\]]"]) + +: > .$1.db.~lock~ +ovsdb-tool create ovn-sb.db "$abs_top_srcdir"/ovn-sb.ovsschema + +# Add read-only remote to sb ovsdb-server +AT_CHECK( + [ovsdb-tool transact ovn-sb.db \ + ['["OVN_Southbound", + {"op": "insert", + "table": "SB_Global", + "row": { + "connections": ["set", [["named-uuid", "xyz"]]]}}, + {"op": "insert", + "table": "Connection", + "uuid-name": "xyz", + "row": {"target": "pssl:0:127.0.0.1", + "read_only": true}}]']], [0], [ignore], [ignore]) + +start_daemon ovsdb-server --remote=punix:ovn-sb.sock \ + --remote=db:OVN_Southbound,SB_Global,connections \ + --private-key="$PKIDIR/testpki-test2-privkey.pem" \ + --certificate="$PKIDIR/testpki-test2-cert.pem" \ + --ca-cert="$PKIDIR/testpki-cacert.pem" \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + ovn-sb.db + +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) + +# read-only accesses should succeed +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + list SB_Global], [0], [stdout], [ignore]) +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + list Connection], [0], [stdout], [ignore]) + +# write access should fail +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + chassis-add ch vxlan 1.2.4.8], [1], [ignore], +[ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"} +]) + +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) +AT_CLEANUP + +AT_SETUP([nb connection/ssl commands with ssl-ciphers and ssl-protocols]) +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) +PKIDIR="$(cd $abs_top_builddir/tests && pwd)" +AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\" +\\]]"]) + +: > .$1.db.~lock~ +ovsdb-tool create ovn-nb.db "$abs_top_srcdir"/ovn-nb.ovsschema + +# Start nb db server using db connection/ssl entries (unpopulated initially) +start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \ + --remote=db:OVN_Northbound,NB_Global,connections \ + --private-key=db:OVN_Northbound,SSL,private_key \ + --certificate=db:OVN_Northbound,SSL,certificate \ + --ca-cert=db:OVN_Northbound,SSL,ca_cert \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + ovn-nb.db + +# Populate SSL configuration entries in nb db +AT_CHECK( + [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ + $PKIDIR/testpki-test-cert.pem \ + $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) + +# Populate a passive SSL connection in nb db +AT_CHECK([ovn-nbctl set-connection pssl:0:127.0.0.1], [0], [stdout], [ignore]) + +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) + +# Verify SSL connetivity to nb db server +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + list NB_Global], + [0], [stdout], [ignore]) +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + list Connection], + [0], [stdout], [ignore]) +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + get-connection], + [0], [stdout], [ignore]) + +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) +AT_CLEANUP + +AT_SETUP([sb connection/ssl commands with ssl-ciphers and ssl-protocols]) +AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) +PKIDIR="$(cd $abs_top_builddir/tests && pwd)" +AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\" +\\]]"]) + +: > .$1.db.~lock~ +ovsdb-tool create ovn-sb.db "$abs_top_srcdir"/ovn-sb.ovsschema + +# Start sb db server using db connection/ssl entries (unpopulated initially) +start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \ + --remote=db:OVN_Southbound,SB_Global,connections \ + --private-key=db:OVN_Southbound,SSL,private_key \ + --certificate=db:OVN_Southbound,SSL,certificate \ + --ca-cert=db:OVN_Southbound,SSL,ca_cert \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + ovn-sb.db + +# Populate SSL configuration entries in sb db +AT_CHECK( + [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \ + $PKIDIR/testpki-test-cert.pem \ + $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore]) + +# Populate a passive SSL connection in sb db +AT_CHECK([ovn-sbctl set-connection pssl:0:127.0.0.1], [0], [stdout], [ignore]) + +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT]) + +# Verify SSL connetivity to sb db server +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + list SB_Global], + [0], [stdout], [ignore]) +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + list Connection], + [0], [stdout], [ignore]) +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \ + --private-key=$PKIDIR/testpki-test-privkey.pem \ + --certificate=$PKIDIR/testpki-test-cert.pem \ + --ca-cert=$PKIDIR/testpki-cacert.pem \ + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \ + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \ + get-connection], + [0], [stdout], [ignore]) + +OVS_APP_EXIT_AND_WAIT([ovsdb-server]) +AT_CLEANUP diff --git a/utilities/ovn-dbctl.c b/utilities/ovn-dbctl.c index 2e9348c47..92be27b2c 100644 --- a/utilities/ovn-dbctl.c +++ b/utilities/ovn-dbctl.c @@ -610,6 +610,14 @@ apply_options_direct(const struct ovn_dbctl_options *dbctl_options, ssl_ca_cert_file = optarg; break; + case OPT_SSL_PROTOCOLS: + stream_ssl_set_protocols(optarg); + break; + + case OPT_SSL_CIPHERS: + stream_ssl_set_ciphers(optarg); + break; + case OPT_BOOTSTRAP_CA_CERT: stream_ssl_set_ca_cert_file(po->arg, true); break;