Thanks: fix: https://patchwork.ozlabs.org/project/ovn/patch/[email protected]/ .
Ali On Tue, Jan 9, 2024 at 7:14 PM Numan Siddique <[email protected]> wrote: > > > On Tue, Jan 9, 2024, 9:46 PM aginwala <[email protected]> wrote: > >> So it seems it would be ok to use STREAM_SSL_OPTION_HANDLERS for multiple >> places not just ovn-controller which covers ssl-ciphers and ssl-protocols. >> Let me know and can amend in other patch or amend in same patch. >> > > > Thanks for root causing it. I think one patch is good. > > >> On Tue, Jan 9, 2024 at 4:15 PM aginwala <[email protected]> wrote: >> >> > Hi : >> > >> > Debugging further with gdb, I was able to figure out it was was missed >> in >> > ovn-controller part of stream ssl option hanlder >> > >> > >> > git diff >> > diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c >> > index 632a2cb15..66316e057 100644 >> > --- a/controller/ovn-controller.c >> > +++ b/controller/ovn-controller.c >> > @@ -6191,6 +6191,13 @@ parse_options(int argc, char *argv[]) >> > ssl_ca_cert_file = optarg; >> > break; >> > >> > + case OPT_SSL_PROTOCOLS: >> > + stream_ssl_set_protocols(optarg); >> > + break; >> > + >> > + case OPT_SSL_CIPHERS: >> > + stream_ssl_set_ciphers(optarg); >> > + break; >> > >> > case OPT_PEER_CA_CERT: >> > stream_ssl_set_peer_ca_cert_file(optarg); >> > >> > Works fine after compiling with this fix. I can send a formal pr >> > accordingly. >> > >> > >> > Regards, >> > Ali >> > >> > On Mon, Jan 8, 2024 at 3:35 PM aginwala <[email protected]> wrote: >> > >> >> Hi: >> >> >> >> When setting extra args like ssl-cipers for ovn-controller, it results >> in >> >> coredump on branch 23.09 >> >> compiled with --with-ovs-source and --with-ovs-build option, OVS >> >> (branch-3.2) >> >> >> >> dump: >> >> Using host libthread_db library >> "/lib/x86_64-linux-gnu/libthread_db.so.1". >> >> Core was generated by `ovn-controller >> >> --ssl-ciphers=HIGH:!aNULL:!MD5:@SECLEVEL=1 unix:/var/run/openvsw' >> >> Program terminated with signal SIGABRT, Aborted. >> >> #0 __GI_raise (sig=sig@entry=6) at >> ../sysdeps/unix/sysv/linux/raise.c:50 >> >> 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. >> >> (gdb) bt >> >> #0 __GI_raise (sig=sig@entry=6) at >> ../sysdeps/unix/sysv/linux/raise.c:50 >> >> #1 0x00007fb13d7cf859 in __GI_abort () at abort.c:79 >> >> #2 0x0000563257fac75c in main (argc=<optimized out>, argv=<optimized >> >> out>) at controller/ovn-controller.c:6019 >> >> (gdb) frame 2 >> >> #2 0x0000563257fac75c in main (argc=<optimized out>, argv=<optimized >> >> out>) at controller/ovn-controller.c:6019 >> >> 6019 OVS_NOT_REACHED(); >> >> (gdb) quit >> >> >> >> ##ovn-controller --version >> >> ovn-controller 23.09.1 >> >> Open vSwitch Library 3.2.2 >> >> OpenFlow versions 0x6:0x6 >> >> SB DB Schema 20.29.0 >> >> >> >> ##Same happens even on trying with any ovn-* commands >> >> ovn-nbctl --ssl-ciphers='xx' >> >> Aborted (core dumped) >> >> ovn-nbctl --version >> >> ovn-nbctl 23.09.1 >> >> Open vSwitch Library 3.2.2 >> >> DB Schema 7.1.0 >> >> >> >> ## back trace for ovn-nbctl >> >> #0 __GI_raise (sig=sig@entry=6) at >> ../sysdeps/unix/sysv/linux/raise.c:50 >> >> 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. >> >> (gdb) frame 2 >> >> #2 0x0000562c759485aa in apply_options_direct >> >> (local_options=0x7ffcaa25fbb0, n=1, parsed_options=<optimized out>, >> >> dbctl_options=0x7ffcaa25fc40) at utilities/ovn-dbctl.c:621 >> >> 621 OVS_NOT_REACHED(); >> >> >> >> --ssl-ciphers works fine when using ovn 20.03 ; directly using ovn >> debian >> >> ovn-controller 20.03.2 >> >> Open vSwitch Library 2.13.8 >> >> OpenFlow versions 0x4:0x4 >> >> SB DB Schema 2.7.0 >> >> >> >> ## underlying ovs >> >> ~/ovn# ovs-vsctl --version >> >> ovs-vsctl (Open vSwitch) 2.16.8 >> >> DB Schema 8.3.0 >> >> >> >> #Kernel/distio: >> >> 5.4.0-167-generic/Ubuntu 20.04.6 LTS >> >> >> >> >> >> To avoid invalidating certs on already running computes setup with old >> >> ovs pki infra, setting ciphers to HIGH:!aNULL:!MD5:@SECLEVEL=1 works >> >> fine part of bumping to newer 20.x and avoid connectivity failures to >> >> control plane due mostly due to below error. >> >> SSL_connect: error:1416F086:SSL >> >> routines:tls_process_server_certificate:certificate verify failed while >> >> connecting to control plane. >> >> >> >> >> >> Not sure if it's a known issue with newer OVS stream-ssl. Core file >> >> attached. >> >> >> >> >> >> Regards, >> >> Ali >> >> >> > >> _______________________________________________ >> dev mailing list >> [email protected] >> https://mail.openvswitch.org/mailman/listinfo/ovs-dev >> <https://urldefense.com/v3/__https://mail.openvswitch.org/mailman/listinfo/ovs-dev__;!!IKRxdwAv5BmarQ!ZJu_KXoTCndCdMjx63Welb9q3j_Al4CH7D7uAPjmjloFlZbTU9EwfauWxTJi7Ap7eZKsw8BxczmG$> >> > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
