>> OVN-Central/Chassis charm for review of TLS 1.2 in OVN
>
> The default behavior of the Open vSwitch clients and servers is to use the
> highest protocol version supported [0] and it has been this way since Open
> vSwitch v2.4.0 [1] which was released in 2014.
>
> The default configuration does allow the use of TLSv1,TLSv1.1,TLSv1.2, so if
> the intention of this bug is to disallow protocol versions prior to TLSv1.2
> that would translate into action necessary for the OVN charms.
>
> 0: http://manpages.ubuntu.com/manpages/focal/man1/ovsdb-server.1.html
> 1:
> https://github.com/openvswitch/ovs/commit/b56ea5d54e072105b398d26421f9a4578fa6e05b
Just an update on the Open vSwitch part of this bug. While the above is
true, and there is an outstanding issue of updating the Open vSwitch
defaults and documentation, due to how the defaults are set up for the
OpenSSL library in Ubuntu, Open vSwitch and OVN is in effect not
affected by this.
The Ubuntu OpenSSL library configuration will make Open vSwitch and OVN
only enable TLSv1.2 and TLSv1.3 as long as no configuration is provided
for the SSL_Protocols and SSL_Ciphers options.
** Changed in: charm-layer-ovn
Status: Confirmed => Invalid
** Changed in: charm-ovn-central
Status: Confirmed => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1892450
Title:
Secure TLS configuration by default
To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-ceilometer/+bug/1892450/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
