[ovs-dev] [PATCH ovn v2] fix segfault due to ssl-ciphers

amginwal Wed, 17 Jan 2024 12:13:20 -0800

From: Aliasgar Ginwala <aginw...@ebay.com>

To avoid invalidating existing certs setup by old version of ovs pki.
openssl supports setting ciphers but it fails with ovn as below
ovn-controller --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1'
Aborted (core dumped)


Avoid invalidating existing certs when bumping to new ovn version
SSL_connect: error:1416F086:SSL 
routines:tls_process_server_certificate:certificate verify failed while 
connecting to control plane.

Also amend ovn ic northd and ovn ctl utilities

Add tests for ssl ciphers

Signed-off-by: Aliasgar Ginwala <aginw...@ebay.com>
---
 controller/ovn-controller.c |   7 ++
 ic/ovn-ic.c                 |   8 ++
 northd/ovn-northd.c         |   8 ++
 tests/ovn-controller.at     |  23 +++++
 tests/ovn.at                | 182 ++++++++++++++++++++++++++++++++++++
 utilities/ovn-dbctl.c       |   8 ++
 6 files changed, 236 insertions(+)

diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c
index 856e5e270..4b16818a6 100644
--- a/controller/ovn-controller.c
+++ b/controller/ovn-controller.c
@@ -6166,6 +6166,13 @@ parse_options(int argc, char *argv[])
             ssl_ca_cert_file = optarg;
             break;
 
+        case OPT_SSL_PROTOCOLS:
+            stream_ssl_set_protocols(optarg);
+            break;
+
+        case OPT_SSL_CIPHERS:
+            stream_ssl_set_ciphers(optarg);
+            break;
 
         case OPT_PEER_CA_CERT:
             stream_ssl_set_peer_ca_cert_file(optarg);
diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c
index 8ceb34d7c..6f8f5734d 100644
--- a/ic/ovn-ic.c
+++ b/ic/ovn-ic.c
@@ -1846,6 +1846,14 @@ parse_options(int argc OVS_UNUSED, char *argv[] 
OVS_UNUSED)
             ssl_ca_cert_file = optarg;
             break;
 
+        case OPT_SSL_PROTOCOLS:
+            stream_ssl_set_protocols(optarg);
+            break;
+
+        case OPT_SSL_CIPHERS:
+            stream_ssl_set_ciphers(optarg);
+            break;
+
         case 'd':
             ovnsb_db = optarg;
             break;
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index f3868068d..dadc1af38 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -611,6 +611,14 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED,
             ssl_ca_cert_file = optarg;
             break;
 
+        case OPT_SSL_PROTOCOLS:
+            stream_ssl_set_protocols(optarg);
+            break;
+
+        case OPT_SSL_CIPHERS:
+            stream_ssl_set_ciphers(optarg);
+            break;
+
         case 'd':
             ovnsb_db = optarg;
             break;
diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at
index 9d2a37c72..9cc8730e9 100644
--- a/tests/ovn-controller.at
+++ b/tests/ovn-controller.at
@@ -2712,3 +2712,26 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=40 | 
grep -q controller], [1]
 OVN_CLEANUP([hv1])
 AT_CLEANUP
 ])
+
+
+AT_SETUP([ovn-controller - ssl ciphers using command line options])
+AT_KEYWORDS([ovn])
+AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
+ovn_start
+
+net_add n1
+sim_add hv1
+ovs-vsctl add-br br-phys
+ovn_attach n1 br-phys 192.168.0.20
+
+# Set cipher and and it should connect
+OVS_APP_EXIT_AND_WAIT([ovn-controller])
+start_daemon ovn-controller --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' 
--ssl-protocols='TLSv1,TLSv1.1,TLSv1.2'
+
+OVS_WAIT_FOR_OUTPUT([ovn-appctl -t ovn-controller connection-status], [0], 
[connected
+])
+
+cat hv1/ovn-controller.log
+
+OVN_CLEANUP([hv1])
+AT_CLEANUP
diff --git a/tests/ovn.at b/tests/ovn.at
index c3644ac78..34f277ef9 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -37588,3 +37588,185 @@ OVN_CLEANUP([hv1])
 
 AT_CLEANUP
 ])
+
+AT_SETUP([read-only sb db:pssl access with ssl-ciphers and ssl-protocols])
+AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
+PKIDIR="$(cd $abs_top_builddir/tests && pwd)"
+AT_SKIP_IF([expr "$PKIDIR" : ".*[[     '\"
+\\]]"])
+
+: > .$1.db.~lock~
+ovsdb-tool create ovn-sb.db "$abs_top_srcdir"/ovn-sb.ovsschema
+
+# Add read-only remote to sb ovsdb-server
+AT_CHECK(
+  [ovsdb-tool transact ovn-sb.db \
+     ['["OVN_Southbound",
+       {"op": "insert",
+        "table": "SB_Global",
+        "row": {
+          "connections": ["set", [["named-uuid", "xyz"]]]}},
+       {"op": "insert",
+        "table": "Connection",
+        "uuid-name": "xyz",
+        "row": {"target": "pssl:0:127.0.0.1",
+               "read_only": true}}]']], [0], [ignore], [ignore])
+
+start_daemon ovsdb-server --remote=punix:ovn-sb.sock \
+                          --remote=db:OVN_Southbound,SB_Global,connections \
+                          --private-key="$PKIDIR/testpki-test2-privkey.pem" \
+                          --certificate="$PKIDIR/testpki-test2-cert.pem" \
+                          --ca-cert="$PKIDIR/testpki-cacert.pem" \
+                          --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
+                          --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
+                          ovn-sb.db
+
+PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
+
+# read-only accesses should succeed
+AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
+                    --ca-cert=$PKIDIR/testpki-cacert.pem \
+                    --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
+                    --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
+                    list SB_Global], [0], [stdout], [ignore])
+AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
+                    --ca-cert=$PKIDIR/testpki-cacert.pem \
+                    --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
+                    --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
+                    list Connection], [0], [stdout], [ignore])
+
+# write access should fail
+AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
+                    --ca-cert=$PKIDIR/testpki-cacert.pem \
+                    --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
+                    --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
+                    chassis-add ch vxlan 1.2.4.8], [1], [ignore],
+[ovn-sbctl: transaction error: {"details":"insert operation not allowed when 
database server is in read only mode","error":"not allowed"}
+])
+
+OVS_APP_EXIT_AND_WAIT([ovsdb-server])
+AT_CLEANUP
+
+AT_SETUP([nb connection/ssl commands with ssl-ciphers and ssl-protocols])
+AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
+PKIDIR="$(cd $abs_top_builddir/tests && pwd)"
+AT_SKIP_IF([expr "$PKIDIR" : ".*[[     '\"
+\\]]"])
+
+: > .$1.db.~lock~
+ovsdb-tool create ovn-nb.db "$abs_top_srcdir"/ovn-nb.ovsschema
+
+# Start nb db server using db connection/ssl entries (unpopulated initially)
+start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \
+                          --remote=db:OVN_Northbound,NB_Global,connections \
+                          --private-key=db:OVN_Northbound,SSL,private_key \
+                          --certificate=db:OVN_Northbound,SSL,certificate \
+                          --ca-cert=db:OVN_Northbound,SSL,ca_cert \
+                          --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
+                          --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
+                          ovn-nb.db
+
+# Populate SSL configuration entries in nb db
+AT_CHECK(
+    [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \
+                       $PKIDIR/testpki-test-cert.pem \
+                       $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore])
+
+# Populate a passive SSL connection in nb db
+AT_CHECK([ovn-nbctl set-connection pssl:0:127.0.0.1], [0], [stdout], [ignore])
+
+PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
+
+# Verify SSL connetivity to nb db server
+AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
+                    --ca-cert=$PKIDIR/testpki-cacert.pem \
+                    --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
+                    --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
+          list NB_Global],
+         [0], [stdout], [ignore])
+AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
+                    --ca-cert=$PKIDIR/testpki-cacert.pem \
+                    --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
+                    --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
+          list Connection],
+         [0], [stdout], [ignore])
+AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
+                    --ca-cert=$PKIDIR/testpki-cacert.pem \
+                    --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
+                    --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
+          get-connection],
+         [0], [stdout], [ignore])
+
+OVS_APP_EXIT_AND_WAIT([ovsdb-server])
+AT_CLEANUP
+
+AT_SETUP([sb connection/ssl commands with ssl-ciphers and ssl-protocols])
+AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
+PKIDIR="$(cd $abs_top_builddir/tests && pwd)"
+AT_SKIP_IF([expr "$PKIDIR" : ".*[[     '\"
+\\]]"])
+
+: > .$1.db.~lock~
+ovsdb-tool create ovn-sb.db "$abs_top_srcdir"/ovn-sb.ovsschema
+
+# Start sb db server using db connection/ssl entries (unpopulated initially)
+start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \
+                          --remote=db:OVN_Southbound,SB_Global,connections \
+                          --private-key=db:OVN_Southbound,SSL,private_key \
+                          --certificate=db:OVN_Southbound,SSL,certificate \
+                          --ca-cert=db:OVN_Southbound,SSL,ca_cert \
+                          --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
+                          --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
+                          ovn-sb.db
+
+# Populate SSL configuration entries in sb db
+AT_CHECK(
+    [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \
+                       $PKIDIR/testpki-test-cert.pem \
+                       $PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore])
+
+# Populate a passive SSL connection in sb db
+AT_CHECK([ovn-sbctl set-connection pssl:0:127.0.0.1], [0], [stdout], [ignore])
+
+PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
+
+# Verify SSL connetivity to sb db server
+AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
+                    --ca-cert=$PKIDIR/testpki-cacert.pem \
+                    --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
+                    --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
+          list SB_Global],
+         [0], [stdout], [ignore])
+AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
+                    --ca-cert=$PKIDIR/testpki-cacert.pem \
+                    --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
+                    --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
+          list Connection],
+         [0], [stdout], [ignore])
+AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
+                    --private-key=$PKIDIR/testpki-test-privkey.pem \
+                    --certificate=$PKIDIR/testpki-test-cert.pem \
+                    --ca-cert=$PKIDIR/testpki-cacert.pem \
+                    --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
+                    --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
+          get-connection],
+         [0], [stdout], [ignore])
+
+OVS_APP_EXIT_AND_WAIT([ovsdb-server])
+AT_CLEANUP
diff --git a/utilities/ovn-dbctl.c b/utilities/ovn-dbctl.c
index 2e9348c47..92be27b2c 100644
--- a/utilities/ovn-dbctl.c
+++ b/utilities/ovn-dbctl.c
@@ -610,6 +610,14 @@ apply_options_direct(const struct ovn_dbctl_options 
*dbctl_options,
             ssl_ca_cert_file = optarg;
             break;
 
+        case OPT_SSL_PROTOCOLS:
+            stream_ssl_set_protocols(optarg);
+            break;
+
+        case OPT_SSL_CIPHERS:
+            stream_ssl_set_ciphers(optarg);
+            break;
+
         case OPT_BOOTSTRAP_CA_CERT:
             stream_ssl_set_ca_cert_file(po->arg, true);
             break;
-- 
2.39.3 (Apple Git-145)

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH ovn v2] fix segfault due to ssl-ciphers

Reply via email to