TLS support

OHMURA Kei Wed, 07 Nov 2012 19:15:56 -0800

2012/11/8 Simon Horman <ho...@verge.net.au>:
> On Thu, Nov 08, 2012 at 07:01:45AM +0900, OHMURA Kei wrote:
>> 2012/11/7 FUJITA Tomonori <fujita.tomon...@lab.ntt.co.jp>:
>> > On Wed,  7 Nov 2012 21:25:43 +0900
>> > OHMURA Kei <ohmura....@lab.ntt.co.jp> wrote:
>> >
>> >> We should support SSL/TLS to encrypt OF channel. This patch only
>> >> support self-signed certificates. (see the "INSTALL.SSL" in Open vSwitch
>> >> source code)
>> >>
>> >> Signed-off-by: OHMURA Kei <ohmura....@lab.ntt.co.jp>
>> >> ---
>> >>  ryu/controller/controller.py |   20 +++++++++++++++++---
>> >>  1 file changed, 17 insertions(+), 3 deletions(-)
>> >>
>> >> diff --git a/ryu/controller/controller.py b/ryu/controller/controller.py
>> >> index dd5f16b..2953a86 100644
>> >> --- a/ryu/controller/controller.py
>> >> +++ b/ryu/controller/controller.py
>> >> @@ -21,6 +21,7 @@ import gevent
>> >>  import traceback
>> >>  import random
>> >>  import greenlet
>> >> +import ssl
>> >>  from gevent.server import StreamServer
>> >>  from gevent.queue import Queue
>> >>
>> >> @@ -42,6 +43,10 @@ FLAGS = gflags.FLAGS
>> >>  gflags.DEFINE_string('ofp_listen_host', '', 'openflow listen host')
>> >>  gflags.DEFINE_integer('ofp_tcp_listen_port', ofproto_common.OFP_TCP_PORT,
>> >>                        'openflow tcp listen port')
>> >> +gflags.DEFINE_integer('ofp_ssl_listen_port', ofproto_common.OFP_SSL_PORT,
>> >> +                      'openflow ssl listen port')
>> >> +gflags.DEFINE_string('ctl_privkey', None, 'controller private key')
>> >> +gflags.DEFINE_string('ctl_cert', None, 'controller certificate')
>> >>
>> >>
>> >>  class OpenFlowController(object):
>> >> @@ -54,9 +59,18 @@ class OpenFlowController(object):
>> >>          self.server_loop()
>> >>
>> >>      def server_loop(self):
>> >> -        server = StreamServer((FLAGS.ofp_listen_host,
>> >> -                               FLAGS.ofp_tcp_listen_port),
>> >> -                              datapath_connection_factory)
>> >> +        if FLAGS.ctl_privkey and FLAGS.ctl_cert is not None:
>> >> +            server = StreamServer((FLAGS.ofp_listen_host,
>> >> +                                   FLAGS.ofp_ssl_listen_port),
>> >> +                                  datapath_connection_factory,
>> >> +                                  keyfile=FLAGS.ctl_privkey,
>> >> +                                  certfile=FLAGS.ctl_cert,
>> >> +                                  ssl_version=ssl.PROTOCOL_TLSv1)
>> >
>> > Needs to specify the ssl version?
>>
>> Oops, I forgot to remove it. I confirmed that this patch worked
>> correct without specifying it.
>
> Personally I think we should disallow SSLv2 as its broken.


Thank you for your comment. Server uses the SSLv23 by default, when we
don't specify it. SSLv23 allows all SSL/TLS versions. We need to
specify the SSL version like this patch, right?

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov
_______________________________________________
Ryu-devel mailing list
Ryu-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ryu-devel

Re: [Ryu-devel] [PATCH] ryu/controller/controller: add SSL/TLS support

Reply via email to