[ovs-dev] [PATCH] lib/ssl: enable TLSv1.3 if supported by SSL

Thu, 04 May 2023 08:48:12 -0700 

diff --git a/lib/ssl-connect.man b/lib/ssl-connect.man
index 6e54f77ef4d5e..896ce79c6378f 100644
--- a/lib/ssl-connect.man
+++ b/lib/ssl-connect.man
@@ -1,10 +1,12 @@
 .IP "\fB\-\-ssl\-protocols=\fIprotocols\fR"
 Specifies, in a comma- or space-delimited list, the SSL protocols
 \fB\*(PN\fR will enable for SSL connections.  Supported
-\fIprotocols\fR include \fBTLSv1\fR, \fBTLSv1.1\fR, and \fBTLSv1.2\fR.
-Regardless of order, the highest protocol supported by both sides will
-be chosen when making the connection.  The default when this option is
-omitted is \fBTLSv1,TLSv1.1,TLSv1.2\fR.
+\fIprotocols\fR include \fBTLSv1\fR, \fBTLSv1.1\fR, \fBTLSv1.2\fR, and
+(if supported by OpenSSL) \fBTLSv1.3\fR. Regardless of order, the
+highest protocol supported by both sides will be chosen when making the
+connection.  The default when this option is omitted is
+\fBTLSv1,TLSv1.1,TLSv1.2\fR and when the SSL implementation supports
+TLSv1.3, the default also includes \fBTLSv1.3\fR.
 .
 .IP "\fB\-\-ssl\-ciphers=\fIciphers\fR"
 Specifies, in OpenSSL cipher string format, the ciphers \fB\*(PN\fR will 
diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index 62da9febb663a..4f053d17dfccc 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -162,9 +162,15 @@ struct ssl_config_file {
 static struct ssl_config_file private_key;
 static struct ssl_config_file certificate;
 static struct ssl_config_file ca_cert;
-static char *ssl_protocols = "TLSv1,TLSv1.1,TLSv1.2";
 static char *ssl_ciphers = "HIGH:!aNULL:!MD5";
 
+#define BASE_SSL_PROTOS "TLSv1,TLSv1.1,TLSv1.2"
+#ifdef SSL_OP_NO_TLSv1_3
+static char *ssl_protocols = BASE_SSL_PROTOS",TLSv1.3";
+#else
+static char *ssl_protocols = BASE_SSL_PROTOS;
+#endif
+
 /* Ordinarily, the SSL client and server verify each other's certificates using
  * a CA certificate.  Setting this to false disables this behavior.  (This is a
  * security risk.) */
@@ -1284,6 +1290,10 @@ stream_ssl_set_protocols(const char *arg)
             on_flag = SSL_OP_NO_TLSv1_1;
         } else if (!strcasecmp(word, "TLSv1")){
             on_flag = SSL_OP_NO_TLSv1;
+#ifdef SSL_OP_NO_TLSv1_3
+        } else if (!strcasecmp(word, "TLSv1.3")){
+            on_flag = SSL_OP_NO_TLSv1_3;
+#endif
         } else {
             VLOG_ERR("%s: SSL protocol not recognized", word);
             goto exit;

_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to