On Tue, 6 Jun 2017 12:26:21 -0400 (EDT) Lance Richardson <[email protected]> wrote:
> > From: "Dominik Holler" <[email protected]> > > To: [email protected] > > Cc: "Lance Richardson" <[email protected]>, "Numan Siddique" > > <[email protected]>, "Marcin Mirecki" <[email protected]>, "Dan > > Kenigsberg" <[email protected]> Sent: Tuesday, 6 June, 2017 > > 11:30:07 AM Subject: enforce TLSv1.2 in OVN > > > > Hello, > > We want to ensure that OVN uses only TLSv1.2, but not TLSv1 or > > TLSv1.1 in our scenario. > > > > There are multiple connection, identified to be relevant: > > > > - The tunneling data connection between the hypervisors/chassis, > > like geneve listening on UDP port 6081. > > > > - The meta data connections: > > > > - The connections to the OVN Southbound DB, which is hosted by > > ovsdb-server and listening typically TCP port 6642. Connections > > may be initiated by from the ovn-controllers and ovn-northd. > > > > - The connections to the OVN Northbound DB, which is hosted by > > ovsdb-server and listening typically on TCP port 6641. > > Connections may be initiated by the Cloud Management System and > > ovn-northd. > > > > Is it correct that encryption is not supported at all for the > > tunneling data connection? > > That's correct. There has been some recent work to support the use of > IPSec for tunnel encryption, but as far as I know no one has > investigated using IPSec with OVN tunnels. If there is a need for > this, we could look into it. See: > > https://patchwork.ozlabs.org/patch/674858/ > > > > > For the meta data connections ovsdb-server acts as the server. > > ovsdb-server has the command line option --ssl-protocols, but I do > > not understand how to apply this. ovsdb-server seems to be started > > by ovn-ctl, but I do not recognize a way to utilize ovn-ctl to > > pass the --ssl-protocols option. > > How should the --ssl-protocols option passed to ovsdb-server? > > > > I think we'll need to add a new option to ovn-ctl to allow this option > to be specified. > > I also think we should allow the --ssl-protocols configuration to be > stored in the ovsdb database and have support in ovn-nbctl/ovn-sbctl > etc. for setting it. > > I'll go ahead and start working on that, Great to hear! > it would be good if you > could open a BZ for tracking the upstream and backport work. > add a new option to ovn-ctl master: https://bugzilla.redhat.com/1459438 backport: https://bugzilla.redhat.com/1459440 configuration to be stored in the ovsdb database master: https://bugzilla.redhat.com/1459441 backport: https://bugzilla.redhat.com/1459442 _______________________________________________ discuss mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
