Bug 1446538

Summary: SSL not working for OVN on CentOS 7
Product: Red Hat Enterprise Linux 7 Reporter: Marcin Mirecki <mmirecki>
Component: openvswitchAssignee: Lance Richardson <lrichard>
Status: CLOSED ERRATA QA Contact: qding
Severity: high Docs Contact:
Priority: high    
Version: 7.1CC: aloughla, atragler, bmcclain, danken, fleitner, lrichard, nusiddiq, qding, rhartman, snagar
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openvswitch-2.7.0-3.git20170516.el7fdb Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-12 15:49:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1396143, 1448867    

Description Marcin Mirecki 2017-04-28 10:12:15 UTC 
Using the python-openvswitch to connect to OVN db's does not work when OVN is configured for SSL.

Steps to reproduce:

Configure OVN for SSL:
ovn-nbctl set-ssl ./keys/ovn-ndb.key.nopass ./certs/ovn-ndb.cer ./ca.pem
ovn-nbctl set-connection pssl:6641

Try connecting to OVN:
ovs.db.idl.Idl('ssl:127.0.0.1:6641', schema_helper).run()

Result:
No connection, OVN db logs do not show any connection, tcpdump does not show any traffic.

Reason:
The pyOpenSSL package on Centos seems to be missing some functionality:
x'OpenSSL.SSL.Context' object has no attribute 'set_session_cache_mode'

also it might be nice to include pyOpenSSL as a 'require' in the python-openvswitch rpm (although it is not needed when not using SSL, so this might not be doable).

Workaround:
Install the fedora version of pyOpenSSL, version: pyOpenSSL-16.2.0-1.fc25.noarch.rpm
this solves this specific problem
Comment 2 Lance Richardson 2017-05-01 12:09:02 UTC 
Recently-added support for SSL in the Python ovsdb API requires a newer
version of the pyopenssl package than present in RHEL7 or CentOS 7. This
is not specific to OVN.

Added Numan to cc: list as he is looking into an upstream fix for this issue.
Comment 3 Dan Kenigsberg 2017-05-11 10:09:22 UTC 
Lance/Numan, this is quite bad, as it makes the recent encryption support useless on production, where it is most importantly needed.

Which version of pyopenssl is required to enable encryption in OVN?
Could you ask RHEL-7.4 to have it?
If not, we may have to push it into the fast datapath.
Comment 5 Numan Siddique 2017-05-15 13:10:26 UTC 
I am looking into this issue and see if this can support v0.13 of pyopenssl and I will update the same here. But I feel it's good if v0.14, v16 or above is used since v0.13 is very old.

On fedora I see the version pyOpenSSL-16.2.0-1.fc25.noarch
Comment 6 Numan Siddique 2017-05-15 15:06:36 UTC 
Submitted the patch upstream to address this issue in pyOpenSSL v0.13

https://patchwork.ozlabs.org/patch/762560/
Comment 7 Numan Siddique 2017-05-24 07:51:02 UTC 
The patch is now merged in upstream master and upstream branch 2.7
Comment 8 Numan Siddique 2017-05-24 07:51:53 UTC 
Branch - https://github.com/openvswitch/ovs/commit/36056d89cc07eba74b4a866db244df3cb7d5b734

Maser - https://github.com/openvswitch/ovs/commit/ca9c2c56ff95ec44d264d817d636c1b5eb027f57
Comment 9 Lance Richardson 2017-05-26 16:51:43 UTC 
Fix has been backported to ovs 2.7 fd beta package, a build is available here
for testing:

    https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=560605
Comment 11 qding 2017-06-08 08:28:02 UTC 
[root@dell-per730-26 ~]# rpm -q pyOpenSSL
pyOpenSSL-0.13.1-3.el7.x86_64

+++ Reproduce with openvswitch-2.7.0-1.git20170516.el7fdb

## ----------------------------- ##
## openvswitch 2.7.0 test suite. ##
## ----------------------------- ##
...

2108: simple idl verify notify - SSL                  skipped (ovsdb-idl.at:1215)

[root@dell-per730-25 ~]# sed  '767,773!d;=' /usr/lib/python2.7/site-packages/ovs/stream.py | sed 'N;s/\n/:/'
767:        ctx = SSL.Context(SSL.SSLv23_METHOD)
768:        ctx.set_verify(SSL.VERIFY_PEER, SSLStream.verify_cb)
769:        ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
770:        ctx.set_session_cache_mode(SSL.SESS_CACHE_OFF)
771:        # If the client has not set the SSL configuration files
772:        # exception would be raised.
773:        ctx.use_privatekey_file(Stream._SSL_private_key_file)
[root@dell-per730-25 ~]# 


+++ Verify with openvswitch-2.7.0-8.git20170530.el7fdb
## ----------------------------- ##
## openvswitch 2.7.0 test suite. ##
## ----------------------------- ##
...

2110: simple idl verify notify - SSL                  ok

[root@dell-per730-26 ~]# sed  '767,773!d;=' /usr/lib/python2.7/site-packages/ovs/stream.py | sed 'N;s/\n/:/'
767:        ctx = SSL.Context(SSL.SSLv23_METHOD)
768:        ctx.set_verify(SSL.VERIFY_PEER, SSLStream.verify_cb)
769:        ctx.set_options(SSL.OP_NO_SSLv2 | SSL.OP_NO_SSLv3)
770:        # If the client has not set the SSL configuration files
771:        # exception would be raised.
772:        ctx.use_privatekey_file(Stream._SSL_private_key_file)
773:        ctx.use_certificate_file(Stream._SSL_certificate_file)
[root@dell-per730-26 ~]#