'DEFAULT' enables default cipher list that was compiled in the OpenSSL library. That allows distributions to provide their defaults for the running OVS process. It also normally doesn't include any ciphers that provide no encryption (eNULL) or no authentication (aNULL). Using this option also makes it harder to mess up the configuration.
Turning on the SECLEVEL to 2 enables requirement for at least 112 bits of security strength. Doing that we ensure compatibility with keys previously generated by older versions of ovs-pki. It also takes care of disabling MD5 and RC4. This should provide better security by default and allow distributions to turn off ciphers system-wide easier by re-configuring OpenSSL. These cipher list macros were introduced in OpenSSL 1.1.0. If necessary, users can override this configuration with --ssl-ciphers or via corresponding database column. Signed-off-by: Ilya Maximets <[email protected]> --- lib/ssl-connect.man | 2 +- lib/stream-ssl.c | 4 ++-- tests/ovsdb-server.at | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/lib/ssl-connect.man b/lib/ssl-connect.man index e731885c1..772386d11 100644 --- a/lib/ssl-connect.man +++ b/lib/ssl-connect.man @@ -18,4 +18,4 @@ omitted is \fBTLSv1.2\fR or later. .IP "\fB\-\-ssl\-ciphers=\fIciphers\fR" Specifies, in OpenSSL cipher string format, the ciphers \fB\*(PN\fR will support for SSL/TLS connections. The default when this option is omitted is -\fBHIGH:!aNULL:!MD5\fR. +\fBDEFAULT:@SECLEVEL=2\fR. diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index 8d5c8b766..e614696d1 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -165,7 +165,7 @@ static struct ssl_config_file private_key; static struct ssl_config_file certificate; static struct ssl_config_file ca_cert; static char *ssl_protocols = "TLSv1.2+"; -static char *ssl_ciphers = "HIGH:!aNULL:!MD5"; +static char *ssl_ciphers = "DEFAULT:@SECLEVEL=2"; /* Ordinarily, the SSL client and server verify each other's certificates using * a CA certificate. Setting this to false disables this behavior. (This is a @@ -1070,7 +1070,7 @@ do_ssl_init(void) SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); - SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL:!MD5"); + SSL_CTX_set_cipher_list(ctx, "DEFAULT:@SECLEVEL=2"); return 0; } diff --git a/tests/ovsdb-server.at b/tests/ovsdb-server.at index 3b9aa0c74..88f11ac82 100644 --- a/tests/ovsdb-server.at +++ b/tests/ovsdb-server.at @@ -856,7 +856,7 @@ AT_CHECK( "certificate": "'"$PKIDIR/testpki-cert2.pem"'", "ca_cert": "'"$PKIDIR/testpki-cacert.pem"'", "ssl_protocols": "'"TLSv1.2,TLSv1.1"'", - "ssl_ciphers": "'"HIGH:!aNULL:!MD5:!ECDHE-ECDSA-AES256-GCM-SHA384"'"}}]']], + "ssl_ciphers": "'"DEFAULT:@SECLEVEL=2:!ECDHE-ECDSA-AES256-GCM-SHA384"'"}}]']], [0], [ignore], [ignore]) on_exit 'kill `cat *.pid`' AT_CHECK( -- 2.47.0 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
