From: Aliasgar Ginwala <[email protected]> To avoid invalidating existing certs setup by old version of ovs pki. openssl supports setting ciphers but it fails with ovn as below ovn-controller --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' Aborted (core dumped)
Avoid invalidating existing certs when bumping to new ovn version SSL_connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed while connecting to control plane. Also amend ovn ic northd and ovn ctl utilities Signed-off-by: Aliasgar Ginwala <[email protected]> --- controller/ovn-controller.c | 7 +++++++ ic/ovn-ic.c | 8 ++++++++ northd/ovn-northd.c | 8 ++++++++ utilities/ovn-dbctl.c | 8 ++++++++ 4 files changed, 31 insertions(+) diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c index 856e5e270..4b16818a6 100644 --- a/controller/ovn-controller.c +++ b/controller/ovn-controller.c @@ -6166,6 +6166,13 @@ parse_options(int argc, char *argv[]) ssl_ca_cert_file = optarg; break; + case OPT_SSL_PROTOCOLS: + stream_ssl_set_protocols(optarg); + break; + + case OPT_SSL_CIPHERS: + stream_ssl_set_ciphers(optarg); + break; case OPT_PEER_CA_CERT: stream_ssl_set_peer_ca_cert_file(optarg); diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c index 8ceb34d7c..6f8f5734d 100644 --- a/ic/ovn-ic.c +++ b/ic/ovn-ic.c @@ -1846,6 +1846,14 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED) ssl_ca_cert_file = optarg; break; + case OPT_SSL_PROTOCOLS: + stream_ssl_set_protocols(optarg); + break; + + case OPT_SSL_CIPHERS: + stream_ssl_set_ciphers(optarg); + break; + case 'd': ovnsb_db = optarg; break; diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index f3868068d..dadc1af38 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -611,6 +611,14 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED, ssl_ca_cert_file = optarg; break; + case OPT_SSL_PROTOCOLS: + stream_ssl_set_protocols(optarg); + break; + + case OPT_SSL_CIPHERS: + stream_ssl_set_ciphers(optarg); + break; + case 'd': ovnsb_db = optarg; break; diff --git a/utilities/ovn-dbctl.c b/utilities/ovn-dbctl.c index 2e9348c47..92be27b2c 100644 --- a/utilities/ovn-dbctl.c +++ b/utilities/ovn-dbctl.c @@ -610,6 +610,14 @@ apply_options_direct(const struct ovn_dbctl_options *dbctl_options, ssl_ca_cert_file = optarg; break; + case OPT_SSL_PROTOCOLS: + stream_ssl_set_protocols(optarg); + break; + + case OPT_SSL_CIPHERS: + stream_ssl_set_ciphers(optarg); + break; + case OPT_BOOTSTRAP_CA_CERT: stream_ssl_set_ca_cert_file(po->arg, true); break; -- 2.39.3 (Apple Git-145) _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
