OpenSSL 1.1.0 reached EoL 5 years ago on 11 Sep 2019. Vast majority of distributions moved to newer versions long time ago.
OpenSSL 1.1.1 introduced a lot of new APIs and deprecated a lot of old ones. It also introduced support for TLSv1.3 with a pack of APIs specific to that version. Requiring OpenSSL 1.1.1 or newer will allow us to get rid of use of many deprecated APIs as well as introduce explicit support for TLSv1.3 without polluting the code with conditional compiling. Python community did an exceptional investigation on benefits of dropping support for OpenSSL 1.1.0 when they did the same in 2021: https://peps.python.org/pep-0644/ We do not officially support building with LibreSSL, but all the ifdefs for it are not necessary today, as LibreSSL implemented all the missing APIs. Also, most major distributions either moved away from LibreSSL or provide OpenSSL as an alternative. This commit only removes explicit workarounds. We'll start replacing deprecated APIs in the next ones. OpenSSL 1.1.1 also reached end of life in 2023, but it's not a big burden to support, and many distributions are still using it and will continue using it for quite some time. Signed-off-by: Ilya Maximets <[email protected]> --- NEWS | 1 + build-aux/generate-dhparams-c | 6 ------ lib/dhparams.c | 6 ------ lib/stream-ssl.c | 28 +--------------------------- m4/openvswitch.m4 | 16 ---------------- tests/atlocal.in | 1 - tests/ovs-vsctl.at | 1 - 7 files changed, 2 insertions(+), 57 deletions(-) diff --git a/NEWS b/NEWS index 657f79041..655d2911c 100644 --- a/NEWS +++ b/NEWS @@ -14,6 +14,7 @@ Post-v3.4.0 * TLSv1 and TLSv1.1 protocols are deprecated and disabled by default on OpenFlow and database connections. Use --ssl-protocols to turn them back on. Support will be fully removed in the next release. + * OpenSSL 1.1.1 or newer is now required for SSL/TLS support. - Userspace datapath: * The default zone limit, if set, is now inherited by any zone that does not have a specific value defined, rather than being diff --git a/build-aux/generate-dhparams-c b/build-aux/generate-dhparams-c index aca1dbca9..ffb56aa18 100755 --- a/build-aux/generate-dhparams-c +++ b/build-aux/generate-dhparams-c @@ -83,13 +83,7 @@ static int my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g) { ovs_assert(q == NULL); -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER) - dh->p = p; - dh->g = g; - return 1; -#else return DH_set0_pqg(dh, p, NULL, g); -#endif } EOF dhparam_to_c lib/dh2048.pem diff --git a/lib/dhparams.c b/lib/dhparams.c index 50209d5d8..4232381ba 100644 --- a/lib/dhparams.c +++ b/lib/dhparams.c @@ -11,13 +11,7 @@ static int my_DH_set0_pqg(DH *dh, BIGNUM *p, const BIGNUM **q OVS_UNUSED, BIGNUM *g) { ovs_assert(q == NULL); -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER) - dh->p = p; - dh->g = g; - return 1; -#else return DH_set0_pqg(dh, p, NULL, g); -#endif } DH *get_dh2048(void) { diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index 8928e83e0..8b0208e92 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -286,14 +286,12 @@ new_ssl_stream(char *name, char *server_name, int fd, enum session_type type, if (!verify_peer_cert || (bootstrap_ca_cert && type == CLIENT)) { SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); } -#if OPENSSL_SUPPORTS_SNI if (server_name && !SSL_set_tlsext_host_name(ssl, server_name)) { VLOG_ERR("%s: failed to set server name indication (%s)", server_name, ERR_error_string(ERR_get_error(), NULL)); retval = ENOPROTOOPT; goto error; } -#endif /* Create and return the ssl_stream. */ sslv = xmalloc(sizeof *sslv); @@ -499,14 +497,7 @@ get_peer_common_name(const struct ssl_stream *sslv) goto error; } - const char *cn; -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER) - /* ASN1_STRING_data() is deprecated as of OpenSSL version 1.1 */ - cn = (const char *)ASN1_STRING_data(cn_data); -#else - cn = (const char *)ASN1_STRING_get0_data(cn_data); - #endif - peer_name = xstrdup(cn); + peer_name = xstrdup((const char *) ASN1_STRING_get0_data(cn_data)); error: X509_free(peer_cert); @@ -571,13 +562,11 @@ ssl_connect(struct stream *stream) "rejecting SSL/TLS connection during bootstrap race window"); return EPROTO; } else { -#if OPENSSL_SUPPORTS_SNI const char *servername = SSL_get_servername( sslv->ssl, TLSEXT_NAMETYPE_host_name); if (servername) { VLOG_DBG("connection indicated server name %s", servername); } -#endif char *cn = get_peer_common_name(sslv); @@ -1016,15 +1005,6 @@ do_ssl_init(void) { SSL_METHOD *method; -#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined (LIBRESSL_VERSION_NUMBER) -#ifdef _WIN32 - /* The following call is needed if we "#include <openssl/applink.c>". */ - CRYPTO_malloc_init(); -#endif - SSL_library_init(); - SSL_load_error_strings(); -#endif - if (!RAND_status()) { /* We occasionally see OpenSSL fail to seed its random number generator * in heavily loaded hypervisors. I suspect the following scenario: @@ -1269,12 +1249,6 @@ stream_ssl_set_protocols(const char *arg) } /* Start with all the flags off and turn them on as requested. */ -#ifndef SSL_OP_NO_SSL_MASK - /* For old OpenSSL without this macro, this is the correct value. */ -#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | \ - SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | \ - SSL_OP_NO_TLSv1_2) -#endif long protocol_flags = SSL_OP_NO_SSL_MASK; struct { const char *name; diff --git a/m4/openvswitch.m4 b/m4/openvswitch.m4 index a6b5c783b..b93516557 100644 --- a/m4/openvswitch.m4 +++ b/m4/openvswitch.m4 @@ -293,22 +293,6 @@ OpenFlow connections over SSL/TLS will not be supported. if test "$HAVE_OPENSSL" = yes; then AC_DEFINE([HAVE_OPENSSL], [1], [Define to 1 if OpenSSL is installed.]) fi - - OPENSSL_SUPPORTS_SNI=no - if test $HAVE_OPENSSL = yes; then - save_CPPFLAGS=$CPPFLAGS - CPPFLAGS="$CPPFLAGS $SSL_INCLUDES" - AC_CHECK_DECL([SSL_set_tlsext_host_name], [OPENSSL_SUPPORTS_SNI=yes], - [], [#include <openssl/ssl.h> -]) - if test $OPENSSL_SUPPORTS_SNI = yes; then - AC_DEFINE( - [OPENSSL_SUPPORTS_SNI], [1], - [Define to 1 if OpenSSL supports Server Name Indication (SNI).]) - fi - CPPFLAGS=$save_CPPFLAGS - fi - AC_SUBST([OPENSSL_SUPPORTS_SNI]) ]) dnl Checks for libraries needed by lib/socket-util.c. diff --git a/tests/atlocal.in b/tests/atlocal.in index 1c3d4891a..e70c03f8c 100644 --- a/tests/atlocal.in +++ b/tests/atlocal.in @@ -1,6 +1,5 @@ # -*- shell-script -*- HAVE_OPENSSL='@HAVE_OPENSSL@' -OPENSSL_SUPPORTS_SNI='@OPENSSL_SUPPORTS_SNI@' HAVE_UNBOUND='@HAVE_UNBOUND@' HAVE_BACKTRACE='@HAVE_BACKTRACE@' HAVE_UNWIND='@HAVE_UNWIND@' diff --git a/tests/ovs-vsctl.at b/tests/ovs-vsctl.at index febb9dadf..a0e49155a 100644 --- a/tests/ovs-vsctl.at +++ b/tests/ovs-vsctl.at @@ -1734,7 +1734,6 @@ AT_CLEANUP AT_SETUP([TLS server name indication (SNI)]) AT_KEYWORDS([ovsdb server positive ssl tls sni]) AT_SKIP_IF([test "$HAVE_OPENSSL" = no]) -AT_SKIP_IF([test "$OPENSSL_SUPPORTS_SNI" = no]) AT_SKIP_IF([test "$HAVE_UNBOUND" = no]) OVSDB_INIT([conf.db]) PKIDIR=$abs_top_builddir/tests -- 2.47.0 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
