OVSDB currently does not support fine-tuning the SSL parameters used for connections. This means that users are unable to specify not using ciphers widely considered to be unsafe or to avoid using TLS protocols that do not meet their organizational standards.
This adds two new commands "--ssl-protocols" and "--ssl-ciphers" to the ovsdb programs to specify which SSL protocols and ciphers to use. In addition, the default cipher string is set to "HIGH:!aNULL:!MD5". This is the current default for nginx and removes weak ciphers while allowing most services from the last several years to still connect. The patch was tested by adding new test cases that check that the options can be set and that when incompatible SSL parameters are used that it results in a failure to communicate. Additionally, since this adds 2 new files, "make distcheck" was used to verify that this works correctly. Ethan Rahn (1): Add support for specifying SSL connection parameters to ovsdb AUTHORS | 1 + lib/automake.mk | 2 + lib/ssl-connect-syn.man | 5 +++ lib/ssl-connect.man | 16 +++++++ lib/stream-ssl.c | 70 +++++++++++++++++++++++++++++++ lib/stream-ssl.h | 20 ++++++++- manpages.mk | 8 ++++ ovn/controller-vtep/ovn-controller-vtep.c | 3 +- ovn/controller/ovn-controller.c | 3 +- ovn/northd/ovn-northd.c | 1 + ovn/utilities/ovn-nbctl.c | 3 +- ovn/utilities/ovn-sbctl.c | 3 +- ovn/utilities/ovn-trace.c | 1 + ovsdb/ovsdb-client.1.in | 3 ++ ovsdb/ovsdb-client.c | 3 +- ovsdb/ovsdb-server.1.in | 3 ++ ovsdb/ovsdb-server.c | 23 ++++++++-- tests/ovsdb-server.at | 68 +++++++++++++++++++++++++++++- tests/test-jsonrpc.c | 3 +- utilities/ovs-ofctl.c | 3 +- utilities/ovs-testcontroller.c | 3 +- utilities/ovs-vsctl.c | 3 +- vswitchd/ovs-vswitchd.c | 1 + vtep/vtep-ctl.c | 3 +- 24 files changed, 234 insertions(+), 18 deletions(-) create mode 100644 lib/ssl-connect-syn.man create mode 100644 lib/ssl-connect.man -- 1.8.1.4 _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
