On 9 Dec 2024, at 17:38, Ilya Maximets wrote:
> 'DEFAULT' enables default cipher list that was compiled in the OpenSSL
> library. That allows distributions to provide their defaults for the
> running OVS process. It also normally doesn't include any ciphers
> that provide no encryption (eNULL) or no authentication (aNULL).
> Using this option also makes it harder to mess up the configuration.
>
> Turning on the SECLEVEL to 2 enables requirement for at least 112 bits
> of security strength. Doing that we ensure compatibility with keys
> previously generated by older versions of ovs-pki. It also takes care
> of disabling MD5 and RC4.
>
> This should provide better security by default and allow distributions
> to turn off ciphers system-wide easier by re-configuring OpenSSL.
>
> These cipher list macros were introduced in OpenSSL 1.1.0.
>
> If necessary, users can override this configuration with --ssl-ciphers
> or via corresponding database column.
>
> Signed-off-by: Ilya Maximets <[email protected]>
Patchwork did not like the cover letter ACK, so will ack them individually.
Acked-by: Eelco Chaudron <[email protected]>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
