This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1459441 - Store allowed TLS versions in the ovsdb database and have support in ovn-nbctl/ovn-sbctl etc. [master]
Store allowed TLS versions in the ovsdb database and have support in ovn-nbct...
Status: ON_QA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openvswitch (Show other bugs)
Unspecified Unspecified
medium Severity medium
: rc
: 7.5
Assigned To: Mark Michelson
: 1459442 (view as bug list)
Depends On:
Blocks: 1459442
  Show dependency treegraph
Reported: 2017-06-07 03:37 EDT by Dominik Holler
Modified: 2017-09-28 05:50 EDT (History)
5 users (show)

See Also:
Fixed In Version: openvswitch-2.8.0-1.el7fdb
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1459442 (view as bug list)
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Dominik Holler 2017-06-07 03:37:53 EDT
Description of problem:

ovn-nbctl/ovn-sbctl etc. can be used to store most ssl options, e.g. "--private-key" and "--certificate", in the ovsdb database. But it is not possible to store the option "--ssl-protocols" in the ovsdb database.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Use ovn-nbctl and ovn-sbctl to store the allowed TLS version TLSv1.2 in the data base

Actual results:

All TLS version are accepted by OVN Southbound DB and OVN Northbound DB, since configuration is not yet possible.

Expected results:

Only TLSv1.2 is accepted by OVN Southbound DB and OVN Northbound DB

Additional info:
Comment 2 Lance Richardson 2017-06-07 08:57:15 EDT
*** Bug 1459442 has been marked as a duplicate of this bug. ***
Comment 3 Lance Richardson 2017-06-07 09:02:01 EDT
Outline of work:
   - Add new columns ssl_protocols and ssl_ciphers to SSL tables in
     OVN_Northbound and OVN_Southbound db schemas.
   - Modify ovn-ctl to start nb/sb ovsdb-server with command-line options
     to take SSL protocol/cipher configuration from db.
   - Modify ovn-nbctl and ovn-sbctl "set-ssl" commands to take optional
     parameters to specify the SSL protocols and SSL ciphers that should
     be enabled.
   - Update documentation.
Comment 4 Lance Richardson 2017-06-07 13:38:18 EDT
Posted upstream:
Comment 5 Lance Richardson 2017-06-13 09:13:06 EDT
This will be available in Open vSwitch version 2.8.
Comment 6 Lance Richardson 2017-07-18 10:07:10 EDT
Upstream commit:
commit 51af591bd37802a286b598ca6f63ced0bd18a673
Author: Lance Richardson <>
Date:   Wed Jun 7 13:35:20 2017 -0400

    ovn: ssl proto/cipher configuration in nb/sb db
    Add SSL protocol and cipher columns to SSL tables in northbound
    and southbound databases. Start nb/sb ovsdb-server with command-
    line options to use these columns. Add support to ovn-nbctl
    and ovn-sbctl "set-ssl" commands for user-friendly management
    of these settings.
    Signed-off-by: Lance Richardson <>
    Signed-off-by: Ben Pfaff <>
Comment 7 Lance Richardson 2017-09-06 11:48:29 EDT
Upstream commit is contained in master and 2.8 branches, released in version

Note You need to log in before you can comment on or make changes to this bug.