On Wed, Jan 17, 2024 at 9:13 PM <[email protected]> wrote:
> From: Aliasgar Ginwala <[email protected]>
>
> To avoid invalidating existing certs setup by old version of ovs pki.
> openssl supports setting ciphers but it fails with ovn as below
> ovn-controller --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1'
> Aborted (core dumped)
>
> Avoid invalidating existing certs when bumping to new ovn version
> SSL_connect: error:1416F086:SSL
> routines:tls_process_server_certificate:certificate verify failed while
> connecting to control plane.
>
> Also amend ovn ic northd and ovn ctl utilities
>
> Add tests for ssl ciphers
>
> Signed-off-by: Aliasgar Ginwala <[email protected]>
> ---
>
Hi Aliasgar,
thank you for the v2.
> controller/ovn-controller.c | 7 ++
> ic/ovn-ic.c | 8 ++
> northd/ovn-northd.c | 8 ++
> tests/ovn-controller.at | 23 +++++
> tests/ovn.at | 182 ++++++++++++++++++++++++++++++++++++
> utilities/ovn-dbctl.c | 8 ++
> 6 files changed, 236 insertions(+)
>
> diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c
> index 856e5e270..4b16818a6 100644
> --- a/controller/ovn-controller.c
> +++ b/controller/ovn-controller.c
> @@ -6166,6 +6166,13 @@ parse_options(int argc, char *argv[])
> ssl_ca_cert_file = optarg;
> break;
>
> + case OPT_SSL_PROTOCOLS:
> + stream_ssl_set_protocols(optarg);
> + break;
> +
> + case OPT_SSL_CIPHERS:
> + stream_ssl_set_ciphers(optarg);
> + break;
>
> case OPT_PEER_CA_CERT:
> stream_ssl_set_peer_ca_cert_file(optarg);
> diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c
> index 8ceb34d7c..6f8f5734d 100644
> --- a/ic/ovn-ic.c
> +++ b/ic/ovn-ic.c
> @@ -1846,6 +1846,14 @@ parse_options(int argc OVS_UNUSED, char *argv[]
> OVS_UNUSED)
> ssl_ca_cert_file = optarg;
> break;
>
> + case OPT_SSL_PROTOCOLS:
> + stream_ssl_set_protocols(optarg);
> + break;
> +
> + case OPT_SSL_CIPHERS:
> + stream_ssl_set_ciphers(optarg);
> + break;
> +
> case 'd':
> ovnsb_db = optarg;
> break;
> diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> index f3868068d..dadc1af38 100644
> --- a/northd/ovn-northd.c
> +++ b/northd/ovn-northd.c
> @@ -611,6 +611,14 @@ parse_options(int argc OVS_UNUSED, char *argv[]
> OVS_UNUSED,
> ssl_ca_cert_file = optarg;
> break;
>
> + case OPT_SSL_PROTOCOLS:
> + stream_ssl_set_protocols(optarg);
> + break;
> +
> + case OPT_SSL_CIPHERS:
> + stream_ssl_set_ciphers(optarg);
> + break;
> +
> case 'd':
> ovnsb_db = optarg;
> break;
> diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at
> index 9d2a37c72..9cc8730e9 100644
> --- a/tests/ovn-controller.at
> +++ b/tests/ovn-controller.at
> @@ -2712,3 +2712,26 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int
> table=40 | grep -q controller], [1]
> OVN_CLEANUP([hv1])
> AT_CLEANUP
> ])
> +
> +
>
nit: Extra empty line, this can be addressed during merge.
> +AT_SETUP([ovn-controller - ssl ciphers using command line options])
> +AT_KEYWORDS([ovn])
> +AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
> +ovn_start
> +
> +net_add n1
> +sim_add hv1
> +ovs-vsctl add-br br-phys
> +ovn_attach n1 br-phys 192.168.0.20
> +
> +# Set cipher and and it should connect
> +OVS_APP_EXIT_AND_WAIT([ovn-controller])
> +start_daemon ovn-controller --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1'
> --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2'
> +
> +OVS_WAIT_FOR_OUTPUT([ovn-appctl -t ovn-controller connection-status],
> [0], [connected
> +])
> +
> +cat hv1/ovn-controller.log
> +
> +OVN_CLEANUP([hv1])
> +AT_CLEANUP
> diff --git a/tests/ovn.at b/tests/ovn.at
> index c3644ac78..34f277ef9 100644
> --- a/tests/ovn.at
> +++ b/tests/ovn.at
> @@ -37588,3 +37588,185 @@ OVN_CLEANUP([hv1])
>
> AT_CLEANUP
> ])
> +
> +AT_SETUP([read-only sb db:pssl access with ssl-ciphers and ssl-protocols])
> +AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
> +PKIDIR="$(cd $abs_top_builddir/tests && pwd)"
> +AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\"
> +\\]]"])
> +
> +: > .$1.db.~lock~
> +ovsdb-tool create ovn-sb.db "$abs_top_srcdir"/ovn-sb.ovsschema
> +
> +# Add read-only remote to sb ovsdb-server
> +AT_CHECK(
> + [ovsdb-tool transact ovn-sb.db \
> + ['["OVN_Southbound",
> + {"op": "insert",
> + "table": "SB_Global",
> + "row": {
> + "connections": ["set", [["named-uuid", "xyz"]]]}},
> + {"op": "insert",
> + "table": "Connection",
> + "uuid-name": "xyz",
> + "row": {"target": "pssl:0:127.0.0.1",
> + "read_only": true}}]']], [0], [ignore], [ignore])
> +
> +start_daemon ovsdb-server --remote=punix:ovn-sb.sock \
> +
> --remote=db:OVN_Southbound,SB_Global,connections \
> +
> --private-key="$PKIDIR/testpki-test2-privkey.pem" \
> + --certificate="$PKIDIR/testpki-test2-cert.pem" \
> + --ca-cert="$PKIDIR/testpki-cacert.pem" \
> + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> + ovn-sb.db
> +
> +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
> +
> +# read-only accesses should succeed
> +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> + --private-key=$PKIDIR/testpki-test-privkey.pem \
> + --certificate=$PKIDIR/testpki-test-cert.pem \
> + --ca-cert=$PKIDIR/testpki-cacert.pem \
> + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> + list SB_Global], [0], [stdout], [ignore])
> +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> + --private-key=$PKIDIR/testpki-test-privkey.pem \
> + --certificate=$PKIDIR/testpki-test-cert.pem \
> + --ca-cert=$PKIDIR/testpki-cacert.pem \
> + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> + list Connection], [0], [stdout], [ignore])
> +
> +# write access should fail
> +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> + --private-key=$PKIDIR/testpki-test-privkey.pem \
> + --certificate=$PKIDIR/testpki-test-cert.pem \
> + --ca-cert=$PKIDIR/testpki-cacert.pem \
> + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> + chassis-add ch vxlan 1.2.4.8], [1], [ignore],
> +[ovn-sbctl: transaction error: {"details":"insert operation not allowed
> when database server is in read only mode","error":"not allowed"}
> +])
> +
> +OVS_APP_EXIT_AND_WAIT([ovsdb-server])
> +AT_CLEANUP
> +
> +AT_SETUP([nb connection/ssl commands with ssl-ciphers and ssl-protocols])
> +AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
> +PKIDIR="$(cd $abs_top_builddir/tests && pwd)"
> +AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\"
> +\\]]"])
> +
> +: > .$1.db.~lock~
> +ovsdb-tool create ovn-nb.db "$abs_top_srcdir"/ovn-nb.ovsschema
> +
> +# Start nb db server using db connection/ssl entries (unpopulated
> initially)
> +start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \
> +
> --remote=db:OVN_Northbound,NB_Global,connections \
> + --private-key=db:OVN_Northbound,SSL,private_key
> \
> + --certificate=db:OVN_Northbound,SSL,certificate
> \
> + --ca-cert=db:OVN_Northbound,SSL,ca_cert \
> + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> + ovn-nb.db
> +
> +# Populate SSL configuration entries in nb db
> +AT_CHECK(
> + [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \
> + $PKIDIR/testpki-test-cert.pem \
> + $PKIDIR/testpki-cacert.pem], [0], [stdout],
> [ignore])
> +
> +# Populate a passive SSL connection in nb db
> +AT_CHECK([ovn-nbctl set-connection pssl:0:127.0.0.1], [0], [stdout],
> [ignore])
> +
> +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
> +
> +# Verify SSL connetivity to nb db server
> +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
> + --private-key=$PKIDIR/testpki-test-privkey.pem \
> + --certificate=$PKIDIR/testpki-test-cert.pem \
> + --ca-cert=$PKIDIR/testpki-cacert.pem \
> + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> + list NB_Global],
> + [0], [stdout], [ignore])
> +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
> + --private-key=$PKIDIR/testpki-test-privkey.pem \
> + --certificate=$PKIDIR/testpki-test-cert.pem \
> + --ca-cert=$PKIDIR/testpki-cacert.pem \
> + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> + list Connection],
> + [0], [stdout], [ignore])
> +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
> + --private-key=$PKIDIR/testpki-test-privkey.pem \
> + --certificate=$PKIDIR/testpki-test-cert.pem \
> + --ca-cert=$PKIDIR/testpki-cacert.pem \
> + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> + get-connection],
> + [0], [stdout], [ignore])
> +
> +OVS_APP_EXIT_AND_WAIT([ovsdb-server])
> +AT_CLEANUP
> +
> +AT_SETUP([sb connection/ssl commands with ssl-ciphers and ssl-protocols])
> +AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
> +PKIDIR="$(cd $abs_top_builddir/tests && pwd)"
> +AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\"
> +\\]]"])
> +
> +: > .$1.db.~lock~
> +ovsdb-tool create ovn-sb.db "$abs_top_srcdir"/ovn-sb.ovsschema
> +
> +# Start sb db server using db connection/ssl entries (unpopulated
> initially)
> +start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \
> +
> --remote=db:OVN_Southbound,SB_Global,connections \
> + --private-key=db:OVN_Southbound,SSL,private_key
> \
> + --certificate=db:OVN_Southbound,SSL,certificate
> \
> + --ca-cert=db:OVN_Southbound,SSL,ca_cert \
> + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> + ovn-sb.db
> +
> +# Populate SSL configuration entries in sb db
> +AT_CHECK(
> + [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \
> + $PKIDIR/testpki-test-cert.pem \
> + $PKIDIR/testpki-cacert.pem], [0], [stdout],
> [ignore])
> +
> +# Populate a passive SSL connection in sb db
> +AT_CHECK([ovn-sbctl set-connection pssl:0:127.0.0.1], [0], [stdout],
> [ignore])
> +
> +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
> +
> +# Verify SSL connetivity to sb db server
> +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> + --private-key=$PKIDIR/testpki-test-privkey.pem \
> + --certificate=$PKIDIR/testpki-test-cert.pem \
> + --ca-cert=$PKIDIR/testpki-cacert.pem \
> + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> + list SB_Global],
> + [0], [stdout], [ignore])
> +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> + --private-key=$PKIDIR/testpki-test-privkey.pem \
> + --certificate=$PKIDIR/testpki-test-cert.pem \
> + --ca-cert=$PKIDIR/testpki-cacert.pem \
> + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> + list Connection],
> + [0], [stdout], [ignore])
> +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> + --private-key=$PKIDIR/testpki-test-privkey.pem \
> + --certificate=$PKIDIR/testpki-test-cert.pem \
> + --ca-cert=$PKIDIR/testpki-cacert.pem \
> + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> + get-connection],
> + [0], [stdout], [ignore])
> +
> +OVS_APP_EXIT_AND_WAIT([ovsdb-server])
> +AT_CLEANUP
> diff --git a/utilities/ovn-dbctl.c b/utilities/ovn-dbctl.c
> index 2e9348c47..92be27b2c 100644
> --- a/utilities/ovn-dbctl.c
> +++ b/utilities/ovn-dbctl.c
> @@ -610,6 +610,14 @@ apply_options_direct(const struct ovn_dbctl_options
> *dbctl_options,
> ssl_ca_cert_file = optarg;
> break;
>
> + case OPT_SSL_PROTOCOLS:
> + stream_ssl_set_protocols(optarg);
> + break;
> +
> + case OPT_SSL_CIPHERS:
> + stream_ssl_set_ciphers(optarg);
> + break;
> +
> case OPT_BOOTSTRAP_CA_CERT:
> stream_ssl_set_ca_cert_file(po->arg, true);
> break;
> --
> 2.39.3 (Apple Git-145)
>
> _______________________________________________
> dev mailing list
> [email protected]
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
>
Other than that it looks good.
Acked-by: Ales Musil <[email protected]>
Thanks,
Ales
--
Ales Musil
Senior Software Engineer - OVN Core
Red Hat EMEA <https://www.redhat.com>
[email protected]
<https://red.ht/sig>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
