Bug 1459438 - ovn-ctl is not able to specify TLS version used by ovsdb-server [master]
ovn-ctl is not able to specify TLS version used by ovsdb-server [master]
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openvswitch (Show other bugs)
7.3
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Lance Richardson
ovs-qe@redhat.com
:
Depends On:
Blocks: 1459440
  Show dependency treegraph
 
Reported: 2017-06-07 03:20 EDT by Dominik Holler
Modified: 2017-06-07 08:54 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1459440 (view as bug list)
Environment:
Last Closed: 2017-06-07 08:54:50 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dominik Holler 2017-06-07 03:20:07 EDT
Description of problem:

The allowed TLS versions for OVN Southbound DB and OVN Northbound DB can be set by the command line option --ssl-protocols of ovsdb-server, which hosts the two DBs.
ovsdb-server is started by ovn-ctl.
But it is not possible to pass the command line option --ssl-protocols by  ovn-ctl, so it is not possible to start ovsdb-server with restricted TLS versions.

Version-Release number of selected component (if applicable): 2.7


How reproducible:


Steps to Reproduce:
1. Configure OVN Southbound DB and OVN Northbound DB to use only TLSv1.2
2.
3.

Actual results:

All TLS version are accepted by OVN Southbound DB and OVN Northbound DB, since configuration is not yet possible.

Expected results:

Only TLSv1.2 is accepted by OVN Southbound DB and OVN Northbound DB

Additional info:

https://mail.openvswitch.org/pipermail/ovs-discuss/2017-June/044641.html
Comment 2 Lance Richardson 2017-06-07 08:54:50 EDT
I don't think we need to add a new option to ovn-ctl. SSL key and
certificate configuration for OVN nb/sb ovsdb-server is handled solely
through db entries (no command-line option for these in ovn-ctl), so
we should do the same for SSL protocol and cipher configuration.

Having these configuration items in the db has the benefit of not having
to restart ovsdb-server if/when they need to be changed.

Note You need to log in before you can comment on or make changes to this bug.