Hi Numan: Ping can we get this in? Also need to apply for branch-23.09. cc @Ales Musil <[email protected]>
Ali On Thu, Jan 18, 2024 at 9:14 AM aginwala <[email protected]> wrote: > Thanks: > > fix: > https://patchwork.ozlabs.org/project/ovn/patch/[email protected]/ > . > > > Ali > > On Tue, Jan 9, 2024 at 7:14 PM Numan Siddique <[email protected]> wrote: > >> >> >> On Tue, Jan 9, 2024, 9:46 PM aginwala <[email protected]> wrote: >> >>> So it seems it would be ok to use STREAM_SSL_OPTION_HANDLERS for multiple >>> places not just ovn-controller which covers ssl-ciphers and >>> ssl-protocols. >>> Let me know and can amend in other patch or amend in same patch. >>> >> >> >> Thanks for root causing it. I think one patch is good. >> >> >>> On Tue, Jan 9, 2024 at 4:15 PM aginwala <[email protected]> wrote: >>> >>> > Hi : >>> > >>> > Debugging further with gdb, I was able to figure out it was was missed >>> in >>> > ovn-controller part of stream ssl option hanlder >>> > >>> > >>> > git diff >>> > diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c >>> > index 632a2cb15..66316e057 100644 >>> > --- a/controller/ovn-controller.c >>> > +++ b/controller/ovn-controller.c >>> > @@ -6191,6 +6191,13 @@ parse_options(int argc, char *argv[]) >>> > ssl_ca_cert_file = optarg; >>> > break; >>> > >>> > + case OPT_SSL_PROTOCOLS: >>> > + stream_ssl_set_protocols(optarg); >>> > + break; >>> > + >>> > + case OPT_SSL_CIPHERS: >>> > + stream_ssl_set_ciphers(optarg); >>> > + break; >>> > >>> > case OPT_PEER_CA_CERT: >>> > stream_ssl_set_peer_ca_cert_file(optarg); >>> > >>> > Works fine after compiling with this fix. I can send a formal pr >>> > accordingly. >>> > >>> > >>> > Regards, >>> > Ali >>> > >>> > On Mon, Jan 8, 2024 at 3:35 PM aginwala <[email protected]> wrote: >>> > >>> >> Hi: >>> >> >>> >> When setting extra args like ssl-cipers for ovn-controller, it >>> results in >>> >> coredump on branch 23.09 >>> >> compiled with --with-ovs-source and --with-ovs-build option, OVS >>> >> (branch-3.2) >>> >> >>> >> dump: >>> >> Using host libthread_db library >>> "/lib/x86_64-linux-gnu/libthread_db.so.1". >>> >> Core was generated by `ovn-controller >>> >> --ssl-ciphers=HIGH:!aNULL:!MD5:@SECLEVEL=1 unix:/var/run/openvsw' >>> >> Program terminated with signal SIGABRT, Aborted. >>> >> #0 __GI_raise (sig=sig@entry=6) at >>> ../sysdeps/unix/sysv/linux/raise.c:50 >>> >> 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. >>> >> (gdb) bt >>> >> #0 __GI_raise (sig=sig@entry=6) at >>> ../sysdeps/unix/sysv/linux/raise.c:50 >>> >> #1 0x00007fb13d7cf859 in __GI_abort () at abort.c:79 >>> >> #2 0x0000563257fac75c in main (argc=<optimized out>, argv=<optimized >>> >> out>) at controller/ovn-controller.c:6019 >>> >> (gdb) frame 2 >>> >> #2 0x0000563257fac75c in main (argc=<optimized out>, argv=<optimized >>> >> out>) at controller/ovn-controller.c:6019 >>> >> 6019 OVS_NOT_REACHED(); >>> >> (gdb) quit >>> >> >>> >> ##ovn-controller --version >>> >> ovn-controller 23.09.1 >>> >> Open vSwitch Library 3.2.2 >>> >> OpenFlow versions 0x6:0x6 >>> >> SB DB Schema 20.29.0 >>> >> >>> >> ##Same happens even on trying with any ovn-* commands >>> >> ovn-nbctl --ssl-ciphers='xx' >>> >> Aborted (core dumped) >>> >> ovn-nbctl --version >>> >> ovn-nbctl 23.09.1 >>> >> Open vSwitch Library 3.2.2 >>> >> DB Schema 7.1.0 >>> >> >>> >> ## back trace for ovn-nbctl >>> >> #0 __GI_raise (sig=sig@entry=6) at >>> ../sysdeps/unix/sysv/linux/raise.c:50 >>> >> 50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory. >>> >> (gdb) frame 2 >>> >> #2 0x0000562c759485aa in apply_options_direct >>> >> (local_options=0x7ffcaa25fbb0, n=1, parsed_options=<optimized out>, >>> >> dbctl_options=0x7ffcaa25fc40) at utilities/ovn-dbctl.c:621 >>> >> 621 OVS_NOT_REACHED(); >>> >> >>> >> --ssl-ciphers works fine when using ovn 20.03 ; directly using ovn >>> debian >>> >> ovn-controller 20.03.2 >>> >> Open vSwitch Library 2.13.8 >>> >> OpenFlow versions 0x4:0x4 >>> >> SB DB Schema 2.7.0 >>> >> >>> >> ## underlying ovs >>> >> ~/ovn# ovs-vsctl --version >>> >> ovs-vsctl (Open vSwitch) 2.16.8 >>> >> DB Schema 8.3.0 >>> >> >>> >> #Kernel/distio: >>> >> 5.4.0-167-generic/Ubuntu 20.04.6 LTS >>> >> >>> >> >>> >> To avoid invalidating certs on already running computes setup with old >>> >> ovs pki infra, setting ciphers to HIGH:!aNULL:!MD5:@SECLEVEL=1 works >>> >> fine part of bumping to newer 20.x and avoid connectivity failures to >>> >> control plane due mostly due to below error. >>> >> SSL_connect: error:1416F086:SSL >>> >> routines:tls_process_server_certificate:certificate verify failed >>> while >>> >> connecting to control plane. >>> >> >>> >> >>> >> Not sure if it's a known issue with newer OVS stream-ssl. Core file >>> >> attached. >>> >> >>> >> >>> >> Regards, >>> >> Ali >>> >> >>> > >>> _______________________________________________ >>> dev mailing list >>> [email protected] >>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev >>> <https://urldefense.com/v3/__https://mail.openvswitch.org/mailman/listinfo/ovs-dev__;!!IKRxdwAv5BmarQ!ZJu_KXoTCndCdMjx63Welb9q3j_Al4CH7D7uAPjmjloFlZbTU9EwfauWxTJi7Ap7eZKsw8BxczmG$> >>> >> _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
