On 9 Dec 2024, at 17:38, Ilya Maximets wrote:
> TLSv1 and TLSv1.1 are officially deprecated by RFC 8996 since March
> of 2021: https://datatracker.ietf.org/doc/rfc8996/
>
> Both protocols should not generally be used (RFC says MUST NOT) and
> are being actively removed from support by major distributions and
> libraries.
>
> Deprecate these protocols in OVS and turn them off by default.
> Ability to use them preserved for now with a warning. We'll fully
> remove support in OVS 3.6.
>
> Before this change, OVS would use TLSv1 or later, if the protocols
> are not specified in the database or command line (this includes
> TLSv1.3 that is not supported explicitly). After the change, this
> becomes TLSv1.2 or later.
>
> Python library only supports client side of SSL/TLS and doesn't
> support configuring protocols. So, just turning off TLSv1 and
> TLSv1.1. Meaning, new python clients will not be able to connect
> to servers that only have TLSv1.1 or lower. This is a strange
> configuration for a modern server and can be fixed by allowing the
> server to use newer protocols. So, there might not be a real need
> in making client side configurable. If the server is so old that
> it doesn't support TLSv1.2, it may be a time to update it.
>
> Signed-off-by: Ilya Maximets <[email protected]>
Patchwork did not like the cover letter ACK, so will ack them individually.
Acked-by: Eelco Chaudron <[email protected]>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
