This service will be undergoing maintenance at 00:00 UTC, 2017-10-23 It is expected to last about 30 minutes
Bug 1459441 - Store allowed TLS versions in the ovsdb database and have support in ovn-nbctl/ovn-sbctl etc. [master]
Store allowed TLS versions in the ovsdb database and have support in ovn-nbct...
Status: ON_QA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openvswitch (Show other bugs)
7.3
Unspecified Unspecified
medium Severity medium
: rc
: 7.5
Assigned To: Mark Michelson
qding
:
: 1459442 (view as bug list)
Depends On:
Blocks: 1459442
  Show dependency treegraph
 
Reported: 2017-06-07 03:37 EDT by Dominik Holler
Modified: 2017-09-28 05:50 EDT (History)
5 users (show)

See Also:
Fixed In Version: openvswitch-2.8.0-1.el7fdb
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1459442 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dominik Holler 2017-06-07 03:37:53 EDT
Description of problem:

ovn-nbctl/ovn-sbctl etc. can be used to store most ssl options, e.g. "--private-key" and "--certificate", in the ovsdb database. But it is not possible to store the option "--ssl-protocols" in the ovsdb database.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Use ovn-nbctl and ovn-sbctl to store the allowed TLS version TLSv1.2 in the data base
2.
3.

Actual results:

All TLS version are accepted by OVN Southbound DB and OVN Northbound DB, since configuration is not yet possible.

Expected results:

Only TLSv1.2 is accepted by OVN Southbound DB and OVN Northbound DB

Additional info:

https://mail.openvswitch.org/pipermail/ovs-discuss/2017-June/044641.html
Comment 2 Lance Richardson 2017-06-07 08:57:15 EDT
*** Bug 1459442 has been marked as a duplicate of this bug. ***
Comment 3 Lance Richardson 2017-06-07 09:02:01 EDT
Outline of work:
   - Add new columns ssl_protocols and ssl_ciphers to SSL tables in
     OVN_Northbound and OVN_Southbound db schemas.
   - Modify ovn-ctl to start nb/sb ovsdb-server with command-line options
     to take SSL protocol/cipher configuration from db.
   - Modify ovn-nbctl and ovn-sbctl "set-ssl" commands to take optional
     parameters to specify the SSL protocols and SSL ciphers that should
     be enabled.
   - Update documentation.
Comment 4 Lance Richardson 2017-06-07 13:38:18 EDT
Posted upstream:

https://mail.openvswitch.org/pipermail/ovs-dev/2017-June/333580.html
Comment 5 Lance Richardson 2017-06-13 09:13:06 EDT
This will be available in Open vSwitch version 2.8.
Comment 6 Lance Richardson 2017-07-18 10:07:10 EDT
Upstream commit:
commit 51af591bd37802a286b598ca6f63ced0bd18a673
Author: Lance Richardson <lrichard@redhat.com>
Date:   Wed Jun 7 13:35:20 2017 -0400

    ovn: ssl proto/cipher configuration in nb/sb db
    
    Add SSL protocol and cipher columns to SSL tables in northbound
    and southbound databases. Start nb/sb ovsdb-server with command-
    line options to use these columns. Add support to ovn-nbctl
    and ovn-sbctl "set-ssl" commands for user-friendly management
    of these settings.
    
    Signed-off-by: Lance Richardson <lrichard@redhat.com>
    Signed-off-by: Ben Pfaff <blp@ovn.org>
Comment 7 Lance Richardson 2017-09-06 11:48:29 EDT
Upstream commit is contained in master and 2.8 branches, released in version
2.8.0.

Note You need to log in before you can comment on or make changes to this bug.