So it seems it would be ok to use STREAM_SSL_OPTION_HANDLERS for multiple places not just ovn-controller which covers ssl-ciphers and ssl-protocols. Let me know and can amend in other patch or amend in same patch.
On Tue, Jan 9, 2024 at 4:15 PM aginwala <[email protected]> wrote: > Hi : > > Debugging further with gdb, I was able to figure out it was was missed in > ovn-controller part of stream ssl option hanlder > > > git diff > diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c > index 632a2cb15..66316e057 100644 > --- a/controller/ovn-controller.c > +++ b/controller/ovn-controller.c > @@ -6191,6 +6191,13 @@ parse_options(int argc, char *argv[]) > ssl_ca_cert_file = optarg; > break; > > + case OPT_SSL_PROTOCOLS: > + stream_ssl_set_protocols(optarg); > + break; > + > + case OPT_SSL_CIPHERS: > + stream_ssl_set_ciphers(optarg); > + break; > > case OPT_PEER_CA_CERT: > stream_ssl_set_peer_ca_cert_file(optarg); > > Works fine after compiling with this fix. I can send a formal pr > accordingly. > > > Regards, > Ali > > On Mon, Jan 8, 2024 at 3:35 PM aginwala <[email protected]> wrote: > >> Hi: >> >> When setting extra args like ssl-cipers for ovn-controller, it results in >> coredump on branch 23.09 >> compiled with --with-ovs-source and --with-ovs-build option, OVS >> (branch-3.2) >> >> dump: >> Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". >> Core was generated by `ovn-controller >> --ssl-ciphers=HIGH:!aNULL:!MD5:@SECLEVEL=1 unix:/var/run/openvsw' >> Program terminated with signal SIGABRT, Aborted. >> #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 >> 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. >> (gdb) bt >> #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 >> #1 0x00007fb13d7cf859 in __GI_abort () at abort.c:79 >> #2 0x0000563257fac75c in main (argc=<optimized out>, argv=<optimized >> out>) at controller/ovn-controller.c:6019 >> (gdb) frame 2 >> #2 0x0000563257fac75c in main (argc=<optimized out>, argv=<optimized >> out>) at controller/ovn-controller.c:6019 >> 6019 OVS_NOT_REACHED(); >> (gdb) quit >> >> ##ovn-controller --version >> ovn-controller 23.09.1 >> Open vSwitch Library 3.2.2 >> OpenFlow versions 0x6:0x6 >> SB DB Schema 20.29.0 >> >> ##Same happens even on trying with any ovn-* commands >> ovn-nbctl --ssl-ciphers='xx' >> Aborted (core dumped) >> ovn-nbctl --version >> ovn-nbctl 23.09.1 >> Open vSwitch Library 3.2.2 >> DB Schema 7.1.0 >> >> ## back trace for ovn-nbctl >> #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50 >> 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. >> (gdb) frame 2 >> #2 0x0000562c759485aa in apply_options_direct >> (local_options=0x7ffcaa25fbb0, n=1, parsed_options=<optimized out>, >> dbctl_options=0x7ffcaa25fc40) at utilities/ovn-dbctl.c:621 >> 621 OVS_NOT_REACHED(); >> >> --ssl-ciphers works fine when using ovn 20.03 ; directly using ovn debian >> ovn-controller 20.03.2 >> Open vSwitch Library 2.13.8 >> OpenFlow versions 0x4:0x4 >> SB DB Schema 2.7.0 >> >> ## underlying ovs >> ~/ovn# ovs-vsctl --version >> ovs-vsctl (Open vSwitch) 2.16.8 >> DB Schema 8.3.0 >> >> #Kernel/distio: >> 5.4.0-167-generic/Ubuntu 20.04.6 LTS >> >> >> To avoid invalidating certs on already running computes setup with old >> ovs pki infra, setting ciphers to HIGH:!aNULL:!MD5:@SECLEVEL=1 works >> fine part of bumping to newer 20.x and avoid connectivity failures to >> control plane due mostly due to below error. >> SSL_connect: error:1416F086:SSL >> routines:tls_process_server_certificate:certificate verify failed while >> connecting to control plane. >> >> >> Not sure if it's a known issue with newer OVS stream-ssl. Core file >> attached. >> >> >> Regards, >> Ali >> > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
