TLSv1 and TLSv1.1 are officially deprecated by RFC 8996 since March
of 2021: https://datatracker.ietf.org/doc/rfc8996/
Both protocols should not generally be used (RFC says MUST NOT) and
are being actively removed from support by major distributions and
libraries. They were deprecated and disabled by default in OVN 25.03
and support was fully removed in OVS commit [1].
Not updating the OVS submodule here, because the previous commit for
STT encapsulation type removal already moved the version beyond the
commit [1]. So, just updating the documentation accordingly.
[1] 7b4d3137a133 ("stream-ssl: Remove support for deprecated TLSv1 and
TLSv1.1.")
Signed-off-by: Ilya Maximets <i.maxim...@ovn.org>
---
NEWS | 3 +++
ovn-ic-nb.xml | 13 ++++++-------
ovn-ic-sb.xml | 13 ++++++-------
ovn-nb.xml | 13 ++++++-------
ovn-sb.xml | 13 ++++++-------
5 files changed, 27 insertions(+), 28 deletions(-)
diff --git a/NEWS b/NEWS
index edb3ded0d..db7b9a49f 100644
--- a/NEWS
+++ b/NEWS
@@ -10,6 +10,9 @@ Post v25.03.0
external-ids, this option allows to specify if ovn-controller should
perform cleanup when exiting. The "--restart" exit always has priority
to keep the backward compatibility.
+ - SSL/TLS:
+ * Support for deprecated TLSv1 and TLSv1.1 protocols on OpenFlow and
+ database connections is now removed.
OVN v25.03.0 - 07 Mar 2025
--------------------------
diff --git a/ovn-ic-nb.xml b/ovn-ic-nb.xml
index abd8114fc..304e100ff 100644
--- a/ovn-ic-nb.xml
+++ b/ovn-ic-nb.xml
@@ -157,17 +157,16 @@
enable for SSL/TLS connections.
</p>
<p>
- Supported protocols include <code>TLSv1</code> (deprecated),
- <code>TLSv1.1</code> (deprecated), <code>TLSv1.2</code> and
+ Supported protocols include <code>TLSv1.2</code> and
<code>TLSv1.3</code>. Ranges can be provided in a form of two protocol
- names separated with a dash (<code>TLSv1.1-TLSv1.2</code>), or as a
+ names separated with a dash (<code>TLSv1.2-TLSv1.3</code>), or as a
single protocol name with a plus sign (<code>TLSv1.2+</code>). The
value can be a list of protocols or exactly one range. The range is a
preferred way of specifying protocols and the configuration always
behaves as if the range between the minimum and the maximum specified
version is provided, i.e., if the value is set to
- <code>TLSv1.1,TLSv1.3</code>, the <code>TLSv1.2</code> will also be
- enabled as if it was a range.
+ <code>TLSv1.X,TLSv1.(X+2)</code>, the <code>TLSv1.(X+1)</code> will
+ also be enabled as if it was a range.
Regardless of order, the highest protocol supported by both sides will
be chosen when making the connection.
</p>
@@ -178,8 +177,8 @@
<column name="ssl_ciphers">
List of ciphers (in OpenSSL cipher string format) to be supported
- for SSL/TLS connections with TLSv1.2 and earlier. The default when this
- option is omitted is <code>DEFAULT:@SECLEVEL=2</code>.
+ for SSL/TLS connections with TLSv1.2. The default when this option
+ is omitted is <code>DEFAULT:@SECLEVEL=2</code>.
</column>
<column name="ssl_ciphersuites">
diff --git a/ovn-ic-sb.xml b/ovn-ic-sb.xml
index 63848088a..5f0743dc3 100644
--- a/ovn-ic-sb.xml
+++ b/ovn-ic-sb.xml
@@ -651,17 +651,16 @@
enable for SSL/TLS connections.
</p>
<p>
- Supported protocols include <code>TLSv1</code> (deprecated),
- <code>TLSv1.1</code> (deprecated), <code>TLSv1.2</code> and
+ Supported protocols include <code>TLSv1.2</code> and
<code>TLSv1.3</code>. Ranges can be provided in a form of two protocol
- names separated with a dash (<code>TLSv1.1-TLSv1.2</code>), or as a
+ names separated with a dash (<code>TLSv1.2-TLSv1.3</code>), or as a
single protocol name with a plus sign (<code>TLSv1.2+</code>). The
value can be a list of protocols or exactly one range. The range is a
preferred way of specifying protocols and the configuration always
behaves as if the range between the minimum and the maximum specified
version is provided, i.e., if the value is set to
- <code>TLSv1.1,TLSv1.3</code>, the <code>TLSv1.2</code> will also be
- enabled as if it was a range.
+ <code>TLSv1.X,TLSv1.(X+2)</code>, the <code>TLSv1.(X+1)</code> will
+ also be enabled as if it was a range.
Regardless of order, the highest protocol supported by both sides will
be chosen when making the connection.
</p>
@@ -672,8 +671,8 @@
<column name="ssl_ciphers">
List of ciphers (in OpenSSL cipher string format) to be supported
- for SSL/TLS connections with TLSv1.2 and earlier. The default when this
- option is omitted is <code>DEFAULT:@SECLEVEL=2</code>.
+ for SSL/TLS connections with TLSv1.2. The default when this option
+ is omitted is <code>DEFAULT:@SECLEVEL=2</code>.
</column>
<column name="ssl_ciphersuites">
diff --git a/ovn-nb.xml b/ovn-nb.xml
index 307aed38b..2098cdbda 100644
--- a/ovn-nb.xml
+++ b/ovn-nb.xml
@@ -5489,17 +5489,16 @@ or
enable for SSL/TLS connections.
</p>
<p>
- Supported protocols include <code>TLSv1</code> (deprecated),
- <code>TLSv1.1</code> (deprecated), <code>TLSv1.2</code> and
+ Supported protocols include <code>TLSv1.2</code> and
<code>TLSv1.3</code>. Ranges can be provided in a form of two protocol
- names separated with a dash (<code>TLSv1.1-TLSv1.2</code>), or as a
+ names separated with a dash (<code>TLSv1.2-TLSv1.3</code>), or as a
single protocol name with a plus sign (<code>TLSv1.2+</code>). The
value can be a list of protocols or exactly one range. The range is a
preferred way of specifying protocols and the configuration always
behaves as if the range between the minimum and the maximum specified
version is provided, i.e., if the value is set to
- <code>TLSv1.1,TLSv1.3</code>, the <code>TLSv1.2</code> will also be
- enabled as if it was a range.
+ <code>TLSv1.X,TLSv1.(X+2)</code>, the <code>TLSv1.(X+1)</code> will
+ also be enabled as if it was a range.
Regardless of order, the highest protocol supported by both sides will
be chosen when making the connection.
</p>
@@ -5510,8 +5509,8 @@ or
<column name="ssl_ciphers">
List of ciphers (in OpenSSL cipher string format) to be supported
- for SSL/TLS connections with TLSv1.2 and earlier. The default when this
- option is omitted is <code>DEFAULT:@SECLEVEL=2</code>.
+ for SSL/TLS connections with TLSv1.2. The default when this option
+ is omitted is <code>DEFAULT:@SECLEVEL=2</code>.
</column>
<column name="ssl_ciphersuites">
diff --git a/ovn-sb.xml b/ovn-sb.xml
index bbb3c7b13..43b691827 100644
--- a/ovn-sb.xml
+++ b/ovn-sb.xml
@@ -4589,17 +4589,16 @@ tcp.flags = RST;
enable for SSL/TLS connections.
</p>
<p>
- Supported protocols include <code>TLSv1</code> (deprecated),
- <code>TLSv1.1</code> (deprecated), <code>TLSv1.2</code> and
+ Supported protocols include <code>TLSv1.2</code> and
<code>TLSv1.3</code>. Ranges can be provided in a form of two protocol
- names separated with a dash (<code>TLSv1.1-TLSv1.2</code>), or as a
+ names separated with a dash (<code>TLSv1.2-TLSv1.3</code>), or as a
single protocol name with a plus sign (<code>TLSv1.2+</code>). The
value can be a list of protocols or exactly one range. The range is a
preferred way of specifying protocols and the configuration always
behaves as if the range between the minimum and the maximum specified
version is provided, i.e., if the value is set to
- <code>TLSv1.1,TLSv1.3</code>, the <code>TLSv1.2</code> will also be
- enabled as if it was a range.
+ <code>TLSv1.X,TLSv1.(X+2)</code>, the <code>TLSv1.(X+1)</code> will
+ also be enabled as if it was a range.
Regardless of order, the highest protocol supported by both sides will
be chosen when making the connection.
</p>
@@ -4610,8 +4609,8 @@ tcp.flags = RST;
<column name="ssl_ciphers">
List of ciphers (in OpenSSL cipher string format) to be supported
- for SSL/TLS connections with TLSv1.2 and earlier. The default when this
- option is omitted is <code>DEFAULT:@SECLEVEL=2</code>.
+ for SSL/TLS connections with TLSv1.2. The default when this option
+ is omitted is <code>DEFAULT:@SECLEVEL=2</code>.
</column>
<column name="ssl_ciphersuites">
--
2.49.0
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
