On Thu, Jan 18, 2024 at 1:42 AM Ales Musil <amu...@redhat.com> wrote:
>
> On Wed, Jan 17, 2024 at 9:13 PM <amgin...@gmail.com> wrote:
>
> > From: Aliasgar Ginwala <aginw...@ebay.com>
> >
> > To avoid invalidating existing certs setup by old version of ovs pki.
> > openssl supports setting ciphers but it fails with ovn as below
> > ovn-controller --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1'
> > Aborted (core dumped)
> >
> > Avoid invalidating existing certs when bumping to new ovn version
> > SSL_connect: error:1416F086:SSL
> > routines:tls_process_server_certificate:certificate verify failed while
> > connecting to control plane.
> >
> > Also amend ovn ic northd and ovn ctl utilities
> >
> > Add tests for ssl ciphers
> >
> > Signed-off-by: Aliasgar Ginwala <aginw...@ebay.com>
> > ---
> >
>
> Hi Aliasgar,
>
> thank you for the v2.
>
>
> > controller/ovn-controller.c | 7 ++
> > ic/ovn-ic.c | 8 ++
> > northd/ovn-northd.c | 8 ++
> > tests/ovn-controller.at | 23 +++++
> > tests/ovn.at | 182 ++++++++++++++++++++++++++++++++++++
> > utilities/ovn-dbctl.c | 8 ++
> > 6 files changed, 236 insertions(+)
> >
> > diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c
> > index 856e5e270..4b16818a6 100644
> > --- a/controller/ovn-controller.c
> > +++ b/controller/ovn-controller.c
> > @@ -6166,6 +6166,13 @@ parse_options(int argc, char *argv[])
> > ssl_ca_cert_file = optarg;
> > break;
> >
> > + case OPT_SSL_PROTOCOLS:
> > + stream_ssl_set_protocols(optarg);
> > + break;
> > +
> > + case OPT_SSL_CIPHERS:
> > + stream_ssl_set_ciphers(optarg);
> > + break;
> >
> > case OPT_PEER_CA_CERT:
> > stream_ssl_set_peer_ca_cert_file(optarg);
> > diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c
> > index 8ceb34d7c..6f8f5734d 100644
> > --- a/ic/ovn-ic.c
> > +++ b/ic/ovn-ic.c
> > @@ -1846,6 +1846,14 @@ parse_options(int argc OVS_UNUSED, char *argv[]
> > OVS_UNUSED)
> > ssl_ca_cert_file = optarg;
> > break;
> >
> > + case OPT_SSL_PROTOCOLS:
> > + stream_ssl_set_protocols(optarg);
> > + break;
> > +
> > + case OPT_SSL_CIPHERS:
> > + stream_ssl_set_ciphers(optarg);
> > + break;
> > +
> > case 'd':
> > ovnsb_db = optarg;
> > break;
> > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> > index f3868068d..dadc1af38 100644
> > --- a/northd/ovn-northd.c
> > +++ b/northd/ovn-northd.c
> > @@ -611,6 +611,14 @@ parse_options(int argc OVS_UNUSED, char *argv[]
> > OVS_UNUSED,
> > ssl_ca_cert_file = optarg;
> > break;
> >
> > + case OPT_SSL_PROTOCOLS:
> > + stream_ssl_set_protocols(optarg);
> > + break;
> > +
> > + case OPT_SSL_CIPHERS:
> > + stream_ssl_set_ciphers(optarg);
> > + break;
> > +
> > case 'd':
> > ovnsb_db = optarg;
> > break;
> > diff --git a/tests/ovn-controller.at b/tests/ovn-controller.at
> > index 9d2a37c72..9cc8730e9 100644
> > --- a/tests/ovn-controller.at
> > +++ b/tests/ovn-controller.at
> > @@ -2712,3 +2712,26 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int
> > table=40 | grep -q controller], [1]
> > OVN_CLEANUP([hv1])
> > AT_CLEANUP
> > ])
> > +
> > +
> >
>
> nit: Extra empty line, this can be addressed during merge.
>
>
> > +AT_SETUP([ovn-controller - ssl ciphers using command line options])
> > +AT_KEYWORDS([ovn])
> > +AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
> > +ovn_start
> > +
> > +net_add n1
> > +sim_add hv1
> > +ovs-vsctl add-br br-phys
> > +ovn_attach n1 br-phys 192.168.0.20
> > +
> > +# Set cipher and and it should connect
> > +OVS_APP_EXIT_AND_WAIT([ovn-controller])
> > +start_daemon ovn-controller --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1'
> > --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2'
> > +
> > +OVS_WAIT_FOR_OUTPUT([ovn-appctl -t ovn-controller connection-status],
> > [0], [connected
> > +])
> > +
> > +cat hv1/ovn-controller.log
> > +
> > +OVN_CLEANUP([hv1])
> > +AT_CLEANUP
> > diff --git a/tests/ovn.at b/tests/ovn.at
> > index c3644ac78..34f277ef9 100644
> > --- a/tests/ovn.at
> > +++ b/tests/ovn.at
> > @@ -37588,3 +37588,185 @@ OVN_CLEANUP([hv1])
> >
> > AT_CLEANUP
> > ])
> > +
> > +AT_SETUP([read-only sb db:pssl access with ssl-ciphers and ssl-protocols])
> > +AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
> > +PKIDIR="$(cd $abs_top_builddir/tests && pwd)"
> > +AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\"
> > +\\]]"])
> > +
> > +: > .$1.db.~lock~
> > +ovsdb-tool create ovn-sb.db "$abs_top_srcdir"/ovn-sb.ovsschema
> > +
> > +# Add read-only remote to sb ovsdb-server
> > +AT_CHECK(
> > + [ovsdb-tool transact ovn-sb.db \
> > + ['["OVN_Southbound",
> > + {"op": "insert",
> > + "table": "SB_Global",
> > + "row": {
> > + "connections": ["set", [["named-uuid", "xyz"]]]}},
> > + {"op": "insert",
> > + "table": "Connection",
> > + "uuid-name": "xyz",
> > + "row": {"target": "pssl:0:127.0.0.1",
> > + "read_only": true}}]']], [0], [ignore], [ignore])
> > +
> > +start_daemon ovsdb-server --remote=punix:ovn-sb.sock \
> > +
> > --remote=db:OVN_Southbound,SB_Global,connections \
> > +
> > --private-key="$PKIDIR/testpki-test2-privkey.pem" \
> > + --certificate="$PKIDIR/testpki-test2-cert.pem" \
> > + --ca-cert="$PKIDIR/testpki-cacert.pem" \
> > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> > + ovn-sb.db
> > +
> > +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
> > +
> > +# read-only accesses should succeed
> > +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> > + --private-key=$PKIDIR/testpki-test-privkey.pem \
> > + --certificate=$PKIDIR/testpki-test-cert.pem \
> > + --ca-cert=$PKIDIR/testpki-cacert.pem \
> > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> > + list SB_Global], [0], [stdout], [ignore])
> > +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> > + --private-key=$PKIDIR/testpki-test-privkey.pem \
> > + --certificate=$PKIDIR/testpki-test-cert.pem \
> > + --ca-cert=$PKIDIR/testpki-cacert.pem \
> > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> > + list Connection], [0], [stdout], [ignore])
> > +
> > +# write access should fail
> > +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> > + --private-key=$PKIDIR/testpki-test-privkey.pem \
> > + --certificate=$PKIDIR/testpki-test-cert.pem \
> > + --ca-cert=$PKIDIR/testpki-cacert.pem \
> > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> > + chassis-add ch vxlan 1.2.4.8], [1], [ignore],
> > +[ovn-sbctl: transaction error: {"details":"insert operation not allowed
> > when database server is in read only mode","error":"not allowed"}
> > +])
> > +
> > +OVS_APP_EXIT_AND_WAIT([ovsdb-server])
> > +AT_CLEANUP
> > +
> > +AT_SETUP([nb connection/ssl commands with ssl-ciphers and ssl-protocols])
> > +AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
> > +PKIDIR="$(cd $abs_top_builddir/tests && pwd)"
> > +AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\"
> > +\\]]"])
> > +
> > +: > .$1.db.~lock~
> > +ovsdb-tool create ovn-nb.db "$abs_top_srcdir"/ovn-nb.ovsschema
> > +
> > +# Start nb db server using db connection/ssl entries (unpopulated
> > initially)
> > +start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \
> > +
> > --remote=db:OVN_Northbound,NB_Global,connections \
> > + --private-key=db:OVN_Northbound,SSL,private_key
> > \
> > + --certificate=db:OVN_Northbound,SSL,certificate
> > \
> > + --ca-cert=db:OVN_Northbound,SSL,ca_cert \
> > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> > + ovn-nb.db
> > +
> > +# Populate SSL configuration entries in nb db
> > +AT_CHECK(
> > + [ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \
> > + $PKIDIR/testpki-test-cert.pem \
> > + $PKIDIR/testpki-cacert.pem], [0], [stdout],
> > [ignore])
> > +
> > +# Populate a passive SSL connection in nb db
> > +AT_CHECK([ovn-nbctl set-connection pssl:0:127.0.0.1], [0], [stdout],
> > [ignore])
> > +
> > +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
> > +
> > +# Verify SSL connetivity to nb db server
> > +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
> > + --private-key=$PKIDIR/testpki-test-privkey.pem \
> > + --certificate=$PKIDIR/testpki-test-cert.pem \
> > + --ca-cert=$PKIDIR/testpki-cacert.pem \
> > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> > + list NB_Global],
> > + [0], [stdout], [ignore])
> > +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
> > + --private-key=$PKIDIR/testpki-test-privkey.pem \
> > + --certificate=$PKIDIR/testpki-test-cert.pem \
> > + --ca-cert=$PKIDIR/testpki-cacert.pem \
> > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> > + list Connection],
> > + [0], [stdout], [ignore])
> > +AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
> > + --private-key=$PKIDIR/testpki-test-privkey.pem \
> > + --certificate=$PKIDIR/testpki-test-cert.pem \
> > + --ca-cert=$PKIDIR/testpki-cacert.pem \
> > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> > + get-connection],
> > + [0], [stdout], [ignore])
> > +
> > +OVS_APP_EXIT_AND_WAIT([ovsdb-server])
> > +AT_CLEANUP
> > +
> > +AT_SETUP([sb connection/ssl commands with ssl-ciphers and ssl-protocols])
> > +AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
> > +PKIDIR="$(cd $abs_top_builddir/tests && pwd)"
> > +AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\"
> > +\\]]"])
> > +
> > +: > .$1.db.~lock~
> > +ovsdb-tool create ovn-sb.db "$abs_top_srcdir"/ovn-sb.ovsschema
> > +
> > +# Start sb db server using db connection/ssl entries (unpopulated
> > initially)
> > +start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \
> > +
> > --remote=db:OVN_Southbound,SB_Global,connections \
> > + --private-key=db:OVN_Southbound,SSL,private_key
> > \
> > + --certificate=db:OVN_Southbound,SSL,certificate
> > \
> > + --ca-cert=db:OVN_Southbound,SSL,ca_cert \
> > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> > + ovn-sb.db
> > +
> > +# Populate SSL configuration entries in sb db
> > +AT_CHECK(
> > + [ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \
> > + $PKIDIR/testpki-test-cert.pem \
> > + $PKIDIR/testpki-cacert.pem], [0], [stdout],
> > [ignore])
> > +
> > +# Populate a passive SSL connection in sb db
> > +AT_CHECK([ovn-sbctl set-connection pssl:0:127.0.0.1], [0], [stdout],
> > [ignore])
> > +
> > +PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])
> > +
> > +# Verify SSL connetivity to sb db server
> > +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> > + --private-key=$PKIDIR/testpki-test-privkey.pem \
> > + --certificate=$PKIDIR/testpki-test-cert.pem \
> > + --ca-cert=$PKIDIR/testpki-cacert.pem \
> > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> > + list SB_Global],
> > + [0], [stdout], [ignore])
> > +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> > + --private-key=$PKIDIR/testpki-test-privkey.pem \
> > + --certificate=$PKIDIR/testpki-test-cert.pem \
> > + --ca-cert=$PKIDIR/testpki-cacert.pem \
> > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> > + list Connection],
> > + [0], [stdout], [ignore])
> > +AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
> > + --private-key=$PKIDIR/testpki-test-privkey.pem \
> > + --certificate=$PKIDIR/testpki-test-cert.pem \
> > + --ca-cert=$PKIDIR/testpki-cacert.pem \
> > + --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
> > + --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
> > + get-connection],
> > + [0], [stdout], [ignore])
> > +
> > +OVS_APP_EXIT_AND_WAIT([ovsdb-server])
> > +AT_CLEANUP
> > diff --git a/utilities/ovn-dbctl.c b/utilities/ovn-dbctl.c
> > index 2e9348c47..92be27b2c 100644
> > --- a/utilities/ovn-dbctl.c
> > +++ b/utilities/ovn-dbctl.c
> > @@ -610,6 +610,14 @@ apply_options_direct(const struct ovn_dbctl_options
> > *dbctl_options,
> > ssl_ca_cert_file = optarg;
> > break;
> >
> > + case OPT_SSL_PROTOCOLS:
> > + stream_ssl_set_protocols(optarg);
> > + break;
> > +
> > + case OPT_SSL_CIPHERS:
> > + stream_ssl_set_ciphers(optarg);
> > + break;
> > +
> > case OPT_BOOTSTRAP_CA_CERT:
> > stream_ssl_set_ca_cert_file(po->arg, true);
> > break;
> > --
> > 2.39.3 (Apple Git-145)
> >
> > _______________________________________________
> > dev mailing list
> > d...@openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> >
> >
> Other than that it looks good.
>
> Acked-by: Ales Musil <amu...@redhat.com>
Thanks. I addressed the nit and applied the patch to main and branch-23.09.
I've triggered CI runs for other branch backports (upto branch-22.03).
Once they are
run, I'll backport them.
Thanks
Numan
>
> Thanks,
> Ales
>
> --
>
> Ales Musil
>
> Senior Software Engineer - OVN Core
>
> Red Hat EMEA <https://www.redhat.com>
>
> amu...@redhat.com
> <https://red.ht/sig>
> _______________________________________________
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
