Re: [Ryu-devel] [PATCH] ryu/controller/controller: add SSL/TLS support

Thu, 08 Nov 2012 20:10:29 -0800 

On Thu, Nov 08, 2012 at 05:02:04PM +0900, OHMURA Kei wrote:
> 2012/11/8 Simon Horman <ho...@verge.net.au>:
> > On Thu, Nov 08, 2012 at 12:15:44PM +0900, OHMURA Kei wrote:
> >> 2012/11/8 Simon Horman <ho...@verge.net.au>:
> >> > On Thu, Nov 08, 2012 at 07:01:45AM +0900, OHMURA Kei wrote:
> >> >> 2012/11/7 FUJITA Tomonori <fujita.tomon...@lab.ntt.co.jp>:
> >> >> > On Wed,  7 Nov 2012 21:25:43 +0900
> >> >> > OHMURA Kei <ohmura....@lab.ntt.co.jp> wrote:
> >> >> >
> >> >> >> We should support SSL/TLS to encrypt OF channel. This patch only
> >> >> >> support self-signed certificates. (see the "INSTALL.SSL" in Open 
> >> >> >> vSwitch
> >> >> >> source code)
> >> >> >>
> >> >> >> Signed-off-by: OHMURA Kei <ohmura....@lab.ntt.co.jp>
> >> >> >> ---
> >> >> >>  ryu/controller/controller.py |   20 +++++++++++++++++---
> >> >> >>  1 file changed, 17 insertions(+), 3 deletions(-)
> >> >> >>
> >> >> >> diff --git a/ryu/controller/controller.py 
> >> >> >> b/ryu/controller/controller.py
> >> >> >> index dd5f16b..2953a86 100644
> >> >> >> --- a/ryu/controller/controller.py
> >> >> >> +++ b/ryu/controller/controller.py
> >> >> >> @@ -21,6 +21,7 @@ import gevent
> >> >> >>  import traceback
> >> >> >>  import random
> >> >> >>  import greenlet
> >> >> >> +import ssl
> >> >> >>  from gevent.server import StreamServer
> >> >> >>  from gevent.queue import Queue
> >> >> >>
> >> >> >> @@ -42,6 +43,10 @@ FLAGS = gflags.FLAGS
> >> >> >>  gflags.DEFINE_string('ofp_listen_host', '', 'openflow listen host')
> >> >> >>  gflags.DEFINE_integer('ofp_tcp_listen_port', 
> >> >> >> ofproto_common.OFP_TCP_PORT,
> >> >> >>                        'openflow tcp listen port')
> >> >> >> +gflags.DEFINE_integer('ofp_ssl_listen_port', 
> >> >> >> ofproto_common.OFP_SSL_PORT,
> >> >> >> +                      'openflow ssl listen port')
> >> >> >> +gflags.DEFINE_string('ctl_privkey', None, 'controller private key')
> >> >> >> +gflags.DEFINE_string('ctl_cert', None, 'controller certificate')
> >> >> >>
> >> >> >>
> >> >> >>  class OpenFlowController(object):
> >> >> >> @@ -54,9 +59,18 @@ class OpenFlowController(object):
> >> >> >>          self.server_loop()
> >> >> >>
> >> >> >>      def server_loop(self):
> >> >> >> -        server = StreamServer((FLAGS.ofp_listen_host,
> >> >> >> -                               FLAGS.ofp_tcp_listen_port),
> >> >> >> -                              datapath_connection_factory)
> >> >> >> +        if FLAGS.ctl_privkey and FLAGS.ctl_cert is not None:
> >> >> >> +            server = StreamServer((FLAGS.ofp_listen_host,
> >> >> >> +                                   FLAGS.ofp_ssl_listen_port),
> >> >> >> +                                  datapath_connection_factory,
> >> >> >> +                                  keyfile=FLAGS.ctl_privkey,
> >> >> >> +                                  certfile=FLAGS.ctl_cert,
> >> >> >> +                                  ssl_version=ssl.PROTOCOL_TLSv1)
> >> >> >
> >> >> > Needs to specify the ssl version?
> >> >>
> >> >> Oops, I forgot to remove it. I confirmed that this patch worked
> >> >> correct without specifying it.
> >> >
> >> > Personally I think we should disallow SSLv2 as its broken.
> >>
> >> Thank you for your comment. Server uses the SSLv23 by default, when we
> >> don't specify it. SSLv23 allows all SSL/TLS versions. We need to
> >> specify the SSL version like this patch, right?
> >
> > Its been a little while since I did work on this area.
> > But yes, I think we should specify that SSLv3 or any
> > version of TLS is acceptable. Or in other words SSLv3 or newer.
> 
> Does OVS support SSLv3? When I tried it, following error occurred.

Good point. I checked the code just now and I see
the following in lib/stream-ssl.c:do_ssl_init().

        SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3)

> --
> SLError: [Errno 1] _ssl.c:504: error:14094410:SSL
> routines:SSL3_READ_BYTES:sslv3 alert handshake failure
> <Greenlet at 0x25c7958: <bound method
> StreamServer.wrap_socket_and_handle of <StreamServer at 0x274f290
> fileno=3 address=0.0.0.0:6633
> handle=datapath_connection_factory>>(<socket at 0x274f3d0 fileno=4
> sock=127.0.0.1:6633>, ('127.0.0.1', 54452))> failed with SSLError
> --
> 
> > I think that only very ancient code only supports SSLv2
> > and it is really no better than plantext.

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov
_______________________________________________
Ryu-devel mailing list
Ryu-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ryu-devel

Reply via email to