Hi :
Debugging further with gdb, I was able to figure out it was was missed in
ovn-controller part of stream ssl option hanlder
git diff
diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c
index 632a2cb15..66316e057 100644
--- a/controller/ovn-controller.c
+++ b/controller/ovn-controller.c
@@ -6191,6 +6191,13 @@ parse_options(int argc, char *argv[])
ssl_ca_cert_file = optarg;
break;
+ case OPT_SSL_PROTOCOLS:
+ stream_ssl_set_protocols(optarg);
+ break;
+
+ case OPT_SSL_CIPHERS:
+ stream_ssl_set_ciphers(optarg);
+ break;
case OPT_PEER_CA_CERT:
stream_ssl_set_peer_ca_cert_file(optarg);
Works fine after compiling with this fix. I can send a formal pr
accordingly.
Regards,
Ali
On Mon, Jan 8, 2024 at 3:35 PM aginwala <[email protected]> wrote:
> Hi:
>
> When setting extra args like ssl-cipers for ovn-controller, it results in
> coredump on branch 23.09
> compiled with --with-ovs-source and --with-ovs-build option, OVS
> (branch-3.2)
>
> dump:
> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
> Core was generated by `ovn-controller
> --ssl-ciphers=HIGH:!aNULL:!MD5:@SECLEVEL=1 unix:/var/run/openvsw'
> Program terminated with signal SIGABRT, Aborted.
> #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
> 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
> (gdb) bt
> #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
> #1 0x00007fb13d7cf859 in __GI_abort () at abort.c:79
> #2 0x0000563257fac75c in main (argc=<optimized out>, argv=<optimized
> out>) at controller/ovn-controller.c:6019
> (gdb) frame 2
> #2 0x0000563257fac75c in main (argc=<optimized out>, argv=<optimized
> out>) at controller/ovn-controller.c:6019
> 6019 OVS_NOT_REACHED();
> (gdb) quit
>
> ##ovn-controller --version
> ovn-controller 23.09.1
> Open vSwitch Library 3.2.2
> OpenFlow versions 0x6:0x6
> SB DB Schema 20.29.0
>
> ##Same happens even on trying with any ovn-* commands
> ovn-nbctl --ssl-ciphers='xx'
> Aborted (core dumped)
> ovn-nbctl --version
> ovn-nbctl 23.09.1
> Open vSwitch Library 3.2.2
> DB Schema 7.1.0
>
> ## back trace for ovn-nbctl
> #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
> 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
> (gdb) frame 2
> #2 0x0000562c759485aa in apply_options_direct
> (local_options=0x7ffcaa25fbb0, n=1, parsed_options=<optimized out>,
> dbctl_options=0x7ffcaa25fc40) at utilities/ovn-dbctl.c:621
> 621 OVS_NOT_REACHED();
>
> --ssl-ciphers works fine when using ovn 20.03 ; directly using ovn debian
> ovn-controller 20.03.2
> Open vSwitch Library 2.13.8
> OpenFlow versions 0x4:0x4
> SB DB Schema 2.7.0
>
> ## underlying ovs
> ~/ovn# ovs-vsctl --version
> ovs-vsctl (Open vSwitch) 2.16.8
> DB Schema 8.3.0
>
> #Kernel/distio:
> 5.4.0-167-generic/Ubuntu 20.04.6 LTS
>
>
> To avoid invalidating certs on already running computes setup with old
> ovs pki infra, setting ciphers to HIGH:!aNULL:!MD5:@SECLEVEL=1 works fine
> part of bumping to newer 20.x and avoid connectivity failures to control
> plane due mostly due to below error.
> SSL_connect: error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify failed while
> connecting to control plane.
>
>
> Not sure if it's a known issue with newer OVS stream-ssl. Core file
> attached.
>
>
> Regards,
> Ali
>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
