Bug 1459441 - Store allowed TLS versions in the ovsdb database and have support in ovn-nbctl/ovn-sbctl etc. [master]
Store allowed TLS versions in the ovsdb database and have support in ovn-nbct...
Status: VERIFIED
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: openvswitch (Show other bugs)
7.3
Unspecified Unspecified
medium Severity medium
: rc
: 7.5
Assigned To: Mark Michelson
qding
:
: 1459442 (view as bug list)
Depends On:
Blocks: 1459442
  Show dependency treegraph
 
Reported: 2017-06-07 03:37 EDT by Dominik Holler
Modified: 2017-11-28 00:39 EST (History)
7 users (show)

See Also:
Fixed In Version: openvswitch-2.8.0-1.el7fdb
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1459442 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Dominik Holler 2017-06-07 03:37:53 EDT
Description of problem:

ovn-nbctl/ovn-sbctl etc. can be used to store most ssl options, e.g. "--private-key" and "--certificate", in the ovsdb database. But it is not possible to store the option "--ssl-protocols" in the ovsdb database.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. Use ovn-nbctl and ovn-sbctl to store the allowed TLS version TLSv1.2 in the data base
2.
3.

Actual results:

All TLS version are accepted by OVN Southbound DB and OVN Northbound DB, since configuration is not yet possible.

Expected results:

Only TLSv1.2 is accepted by OVN Southbound DB and OVN Northbound DB

Additional info:

https://mail.openvswitch.org/pipermail/ovs-discuss/2017-June/044641.html
Comment 2 Lance Richardson 2017-06-07 08:57:15 EDT
*** Bug 1459442 has been marked as a duplicate of this bug. ***
Comment 3 Lance Richardson 2017-06-07 09:02:01 EDT
Outline of work:
   - Add new columns ssl_protocols and ssl_ciphers to SSL tables in
     OVN_Northbound and OVN_Southbound db schemas.
   - Modify ovn-ctl to start nb/sb ovsdb-server with command-line options
     to take SSL protocol/cipher configuration from db.
   - Modify ovn-nbctl and ovn-sbctl "set-ssl" commands to take optional
     parameters to specify the SSL protocols and SSL ciphers that should
     be enabled.
   - Update documentation.
Comment 4 Lance Richardson 2017-06-07 13:38:18 EDT
Posted upstream:

https://mail.openvswitch.org/pipermail/ovs-dev/2017-June/333580.html
Comment 5 Lance Richardson 2017-06-13 09:13:06 EDT
This will be available in Open vSwitch version 2.8.
Comment 6 Lance Richardson 2017-07-18 10:07:10 EDT
Upstream commit:
commit 51af591bd37802a286b598ca6f63ced0bd18a673
Author: Lance Richardson <lrichard@redhat.com>
Date:   Wed Jun 7 13:35:20 2017 -0400

    ovn: ssl proto/cipher configuration in nb/sb db
    
    Add SSL protocol and cipher columns to SSL tables in northbound
    and southbound databases. Start nb/sb ovsdb-server with command-
    line options to use these columns. Add support to ovn-nbctl
    and ovn-sbctl "set-ssl" commands for user-friendly management
    of these settings.
    
    Signed-off-by: Lance Richardson <lrichard@redhat.com>
    Signed-off-by: Ben Pfaff <blp@ovn.org>
Comment 7 Lance Richardson 2017-09-06 11:48:29 EDT
Upstream commit is contained in master and 2.8 branches, released in version
2.8.0.
Comment 10 haidong li 2017-11-26 22:28:30 EST
Hi Lance,
The new option can be configured successfully,but can't see in the get-ssl command,is it needed?
[root@dell-per730-21 ~]# ovs-vsctl show
75ed8c65-06dd-4033-af7a-3cd428b05212
    Bridge br-int
        fail_mode: secure
        Port br-int
            Interface br-int
                type: internal
    ovs_version: "2.8.0"
[root@dell-per730-21 ~]# 

[root@dell-per730-21 ~]# ovn-sbctl list ssl
_uuid               : 98d0fd64-487e-430b-ae76-f4a835a75f6b
bootstrap_ca_cert   : false
ca_cert             : "--ssl-protocols=TLSv1.1"
certificate         : "--certificate=/etc/openvswitch/controller-cert.pem"
external_ids        : {}
private_key         : "--private-key=/etc/openvswitch/controller-privkey.pem"
ssl_ciphers         : ""
ssl_protocols       : ""
[root@dell-per730-21 ~]# sudo ovn-sbctl set-ssl /etc/openvswitch/controller-privkey.pem /etc/openvswitch/controller-cert.pem /etc/openvswitch/pki/switchca/cacert.pem TLSv1.2,TLSV1.1 md5,high
[root@dell-per730-21 ~]# ovn-sbctl list ssl
_uuid               : fb9a03e8-ef70-4b63-aad0-82d03dd68b0e
bootstrap_ca_cert   : false
ca_cert             : "/etc/openvswitch/pki/switchca/cacert.pem"
certificate         : "/etc/openvswitch/controller-cert.pem"
external_ids        : {}
private_key         : "/etc/openvswitch/controller-privkey.pem"
ssl_ciphers         : "md5,high"
ssl_protocols       : "TLSv1.2,TLSV1.1"
[root@dell-per730-21 ~]# 
[root@dell-per730-21 ~]# sudo ovn-nbctl set-ssl /etc/openvswitch/controller-privkey.pem /etc/openvswitch/controller-cert.pem /etc/openvswitch/pki/switchca/cacert.pem TLSv1.0 md5,high
[root@dell-per730-21 ~]# ovn-sbctl list ssl
_uuid               : fb9a03e8-ef70-4b63-aad0-82d03dd68b0e
bootstrap_ca_cert   : false
ca_cert             : "/etc/openvswitch/pki/switchca/cacert.pem"
certificate         : "/etc/openvswitch/controller-cert.pem"
external_ids        : {}
private_key         : "/etc/openvswitch/controller-privkey.pem"
ssl_ciphers         : "md5,high"
ssl_protocols       : "TLSv1.2,TLSV1.1"
[root@dell-per730-21 ~]# ovn-nbctl list ssl
_uuid               : 4d479583-1c92-4282-8d6e-b53eaae3a4a8
bootstrap_ca_cert   : false
ca_cert             : "/etc/openvswitch/pki/switchca/cacert.pem"
certificate         : "/etc/openvswitch/controller-cert.pem"
external_ids        : {}
private_key         : "/etc/openvswitch/controller-privkey.pem"
ssl_ciphers         : "md5,high"
ssl_protocols       : "TLSv1.0"
[root@dell-per730-21 ~]# 
[root@dell-per730-21 ~]# ovn-nbctl get-ssl 
Private key: /etc/openvswitch/controller-privkey.pem
Certificate: /etc/openvswitch/controller-cert.pem
CA Certificate: /etc/openvswitch/pki/switchca/cacert.pem
Bootstrap: false
[root@dell-per730-21 ~]# ovn-sbctl get-ssl 
Private key: /etc/openvswitch/controller-privkey.pem
Certificate: /etc/openvswitch/controller-cert.pem
CA Certificate: /etc/openvswitch/pki/switchca/cacert.pem
Bootstrap: false
[root@dell-per730-21 ~]
Comment 11 Mark Michelson 2017-11-27 09:35:48 EST
Hello.

It is not intended to be able to see the SSL protocols/ciphers from "ovn-sbctl get-ssl". The patch is working as expected.

Thank you for asking, though.
Comment 12 haidong li 2017-11-28 00:39:42 EST
the bug is verified according to comment 10 and 11

Note You need to log in before you can comment on or make changes to this bug.