On Tue, Jan 9, 2024, 9:46 PM aginwala <[email protected]> wrote: > So it seems it would be ok to use STREAM_SSL_OPTION_HANDLERS for multiple > places not just ovn-controller which covers ssl-ciphers and ssl-protocols. > Let me know and can amend in other patch or amend in same patch. >
Thanks for root causing it. I think one patch is good. > On Tue, Jan 9, 2024 at 4:15 PM aginwala <[email protected]> wrote: > > > Hi : > > > > Debugging further with gdb, I was able to figure out it was was missed in > > ovn-controller part of stream ssl option hanlder > > > > > > git diff > > diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c > > index 632a2cb15..66316e057 100644 > > --- a/controller/ovn-controller.c > > +++ b/controller/ovn-controller.c > > @@ -6191,6 +6191,13 @@ parse_options(int argc, char *argv[]) > > ssl_ca_cert_file = optarg; > > break; > > > > + case OPT_SSL_PROTOCOLS: > > + stream_ssl_set_protocols(optarg); > > + break; > > + > > + case OPT_SSL_CIPHERS: > > + stream_ssl_set_ciphers(optarg); > > + break; > > > > case OPT_PEER_CA_CERT: > > stream_ssl_set_peer_ca_cert_file(optarg); > > > > Works fine after compiling with this fix. I can send a formal pr > > accordingly. > > > > > > Regards, > > Ali > > > > On Mon, Jan 8, 2024 at 3:35 PM aginwala <[email protected]> wrote: > > > >> Hi: > >> > >> When setting extra args like ssl-cipers for ovn-controller, it results > in > >> coredump on branch 23.09 > >> compiled with --with-ovs-source and --with-ovs-build option, OVS > >> (branch-3.2) > >> > >> dump: > >> Using host libthread_db library > "/lib/x86_64-linux-gnu/libthread_db.so.1". > >> Core was generated by `ovn-controller > >> --ssl-ciphers=HIGH:!aNULL:!MD5:@SECLEVEL=1 unix:/var/run/openvsw' > >> Program terminated with signal SIGABRT, Aborted. > >> #0 __GI_raise (sig=sig@entry=6) at > ../sysdeps/unix/sysv/linux/raise.c:50 > >> 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. > >> (gdb) bt > >> #0 __GI_raise (sig=sig@entry=6) at > ../sysdeps/unix/sysv/linux/raise.c:50 > >> #1 0x00007fb13d7cf859 in __GI_abort () at abort.c:79 > >> #2 0x0000563257fac75c in main (argc=<optimized out>, argv=<optimized > >> out>) at controller/ovn-controller.c:6019 > >> (gdb) frame 2 > >> #2 0x0000563257fac75c in main (argc=<optimized out>, argv=<optimized > >> out>) at controller/ovn-controller.c:6019 > >> 6019 OVS_NOT_REACHED(); > >> (gdb) quit > >> > >> ##ovn-controller --version > >> ovn-controller 23.09.1 > >> Open vSwitch Library 3.2.2 > >> OpenFlow versions 0x6:0x6 > >> SB DB Schema 20.29.0 > >> > >> ##Same happens even on trying with any ovn-* commands > >> ovn-nbctl --ssl-ciphers='xx' > >> Aborted (core dumped) > >> ovn-nbctl --version > >> ovn-nbctl 23.09.1 > >> Open vSwitch Library 3.2.2 > >> DB Schema 7.1.0 > >> > >> ## back trace for ovn-nbctl > >> #0 __GI_raise (sig=sig@entry=6) at > ../sysdeps/unix/sysv/linux/raise.c:50 > >> 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. > >> (gdb) frame 2 > >> #2 0x0000562c759485aa in apply_options_direct > >> (local_options=0x7ffcaa25fbb0, n=1, parsed_options=<optimized out>, > >> dbctl_options=0x7ffcaa25fc40) at utilities/ovn-dbctl.c:621 > >> 621 OVS_NOT_REACHED(); > >> > >> --ssl-ciphers works fine when using ovn 20.03 ; directly using ovn > debian > >> ovn-controller 20.03.2 > >> Open vSwitch Library 2.13.8 > >> OpenFlow versions 0x4:0x4 > >> SB DB Schema 2.7.0 > >> > >> ## underlying ovs > >> ~/ovn# ovs-vsctl --version > >> ovs-vsctl (Open vSwitch) 2.16.8 > >> DB Schema 8.3.0 > >> > >> #Kernel/distio: > >> 5.4.0-167-generic/Ubuntu 20.04.6 LTS > >> > >> > >> To avoid invalidating certs on already running computes setup with old > >> ovs pki infra, setting ciphers to HIGH:!aNULL:!MD5:@SECLEVEL=1 works > >> fine part of bumping to newer 20.x and avoid connectivity failures to > >> control plane due mostly due to below error. > >> SSL_connect: error:1416F086:SSL > >> routines:tls_process_server_certificate:certificate verify failed while > >> connecting to control plane. > >> > >> > >> Not sure if it's a known issue with newer OVS stream-ssl. Core file > >> attached. > >> > >> > >> Regards, > >> Ali > >> > > > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
