On Mon, Mar 31, 2025 at 4:08 PM Ilya Maximets <[email protected]> wrote:
> TLSv1 and TLSv1.1 are officially deprecated by RFC 8996 since March > of 2021: https://datatracker.ietf.org/doc/rfc8996/ > > Both protocols should not generally be used (RFC says MUST NOT) and > are being actively removed from support by major distributions and > libraries. They were deprecated and disabled by default in OVN 25.03 > and support was fully removed in OVS commit [1]. > > Not updating the OVS submodule here, because the previous commit for > STT encapsulation type removal already moved the version beyond the > commit [1]. So, just updating the documentation accordingly. > > [1] 7b4d3137a133 ("stream-ssl: Remove support for deprecated TLSv1 and > TLSv1.1.") > > Signed-off-by: Ilya Maximets <[email protected]> > --- > NEWS | 3 +++ > ovn-ic-nb.xml | 13 ++++++------- > ovn-ic-sb.xml | 13 ++++++------- > ovn-nb.xml | 13 ++++++------- > ovn-sb.xml | 13 ++++++------- > 5 files changed, 27 insertions(+), 28 deletions(-) > > diff --git a/NEWS b/NEWS > index edb3ded0d..db7b9a49f 100644 > --- a/NEWS > +++ b/NEWS > @@ -10,6 +10,9 @@ Post v25.03.0 > external-ids, this option allows to specify if ovn-controller should > perform cleanup when exiting. The "--restart" exit always has > priority > to keep the backward compatibility. > + - SSL/TLS: > + * Support for deprecated TLSv1 and TLSv1.1 protocols on OpenFlow and > + database connections is now removed. > > OVN v25.03.0 - 07 Mar 2025 > -------------------------- > diff --git a/ovn-ic-nb.xml b/ovn-ic-nb.xml > index abd8114fc..304e100ff 100644 > --- a/ovn-ic-nb.xml > +++ b/ovn-ic-nb.xml > @@ -157,17 +157,16 @@ > enable for SSL/TLS connections. > </p> > <p> > - Supported protocols include <code>TLSv1</code> (deprecated), > - <code>TLSv1.1</code> (deprecated), <code>TLSv1.2</code> and > + Supported protocols include <code>TLSv1.2</code> and > <code>TLSv1.3</code>. Ranges can be provided in a form of two > protocol > - names separated with a dash (<code>TLSv1.1-TLSv1.2</code>), or as > a > + names separated with a dash (<code>TLSv1.2-TLSv1.3</code>), or as > a > single protocol name with a plus sign (<code>TLSv1.2+</code>). > The > value can be a list of protocols or exactly one range. The range > is a > preferred way of specifying protocols and the configuration always > behaves as if the range between the minimum and the maximum > specified > version is provided, i.e., if the value is set to > - <code>TLSv1.1,TLSv1.3</code>, the <code>TLSv1.2</code> will also > be > - enabled as if it was a range. > + <code>TLSv1.X,TLSv1.(X+2)</code>, the <code>TLSv1.(X+1)</code> > will > + also be enabled as if it was a range. > Regardless of order, the highest protocol supported by both sides > will > be chosen when making the connection. > </p> > @@ -178,8 +177,8 @@ > > <column name="ssl_ciphers"> > List of ciphers (in OpenSSL cipher string format) to be supported > - for SSL/TLS connections with TLSv1.2 and earlier. The default when > this > - option is omitted is <code>DEFAULT:@SECLEVEL=2</code>. > + for SSL/TLS connections with TLSv1.2. The default when this option > + is omitted is <code>DEFAULT:@SECLEVEL=2</code>. > </column> > > <column name="ssl_ciphersuites"> > diff --git a/ovn-ic-sb.xml b/ovn-ic-sb.xml > index 63848088a..5f0743dc3 100644 > --- a/ovn-ic-sb.xml > +++ b/ovn-ic-sb.xml > @@ -651,17 +651,16 @@ > enable for SSL/TLS connections. > </p> > <p> > - Supported protocols include <code>TLSv1</code> (deprecated), > - <code>TLSv1.1</code> (deprecated), <code>TLSv1.2</code> and > + Supported protocols include <code>TLSv1.2</code> and > <code>TLSv1.3</code>. Ranges can be provided in a form of two > protocol > - names separated with a dash (<code>TLSv1.1-TLSv1.2</code>), or as > a > + names separated with a dash (<code>TLSv1.2-TLSv1.3</code>), or as > a > single protocol name with a plus sign (<code>TLSv1.2+</code>). > The > value can be a list of protocols or exactly one range. The range > is a > preferred way of specifying protocols and the configuration always > behaves as if the range between the minimum and the maximum > specified > version is provided, i.e., if the value is set to > - <code>TLSv1.1,TLSv1.3</code>, the <code>TLSv1.2</code> will also > be > - enabled as if it was a range. > + <code>TLSv1.X,TLSv1.(X+2)</code>, the <code>TLSv1.(X+1)</code> > will > + also be enabled as if it was a range. > Regardless of order, the highest protocol supported by both sides > will > be chosen when making the connection. > </p> > @@ -672,8 +671,8 @@ > > <column name="ssl_ciphers"> > List of ciphers (in OpenSSL cipher string format) to be supported > - for SSL/TLS connections with TLSv1.2 and earlier. The default when > this > - option is omitted is <code>DEFAULT:@SECLEVEL=2</code>. > + for SSL/TLS connections with TLSv1.2. The default when this option > + is omitted is <code>DEFAULT:@SECLEVEL=2</code>. > </column> > > <column name="ssl_ciphersuites"> > diff --git a/ovn-nb.xml b/ovn-nb.xml > index 307aed38b..2098cdbda 100644 > --- a/ovn-nb.xml > +++ b/ovn-nb.xml > @@ -5489,17 +5489,16 @@ or > enable for SSL/TLS connections. > </p> > <p> > - Supported protocols include <code>TLSv1</code> (deprecated), > - <code>TLSv1.1</code> (deprecated), <code>TLSv1.2</code> and > + Supported protocols include <code>TLSv1.2</code> and > <code>TLSv1.3</code>. Ranges can be provided in a form of two > protocol > - names separated with a dash (<code>TLSv1.1-TLSv1.2</code>), or as > a > + names separated with a dash (<code>TLSv1.2-TLSv1.3</code>), or as > a > single protocol name with a plus sign (<code>TLSv1.2+</code>). > The > value can be a list of protocols or exactly one range. The range > is a > preferred way of specifying protocols and the configuration always > behaves as if the range between the minimum and the maximum > specified > version is provided, i.e., if the value is set to > - <code>TLSv1.1,TLSv1.3</code>, the <code>TLSv1.2</code> will also > be > - enabled as if it was a range. > + <code>TLSv1.X,TLSv1.(X+2)</code>, the <code>TLSv1.(X+1)</code> > will > + also be enabled as if it was a range. > Regardless of order, the highest protocol supported by both sides > will > be chosen when making the connection. > </p> > @@ -5510,8 +5509,8 @@ or > > <column name="ssl_ciphers"> > List of ciphers (in OpenSSL cipher string format) to be supported > - for SSL/TLS connections with TLSv1.2 and earlier. The default when > this > - option is omitted is <code>DEFAULT:@SECLEVEL=2</code>. > + for SSL/TLS connections with TLSv1.2. The default when this option > + is omitted is <code>DEFAULT:@SECLEVEL=2</code>. > </column> > > <column name="ssl_ciphersuites"> > diff --git a/ovn-sb.xml b/ovn-sb.xml > index bbb3c7b13..43b691827 100644 > --- a/ovn-sb.xml > +++ b/ovn-sb.xml > @@ -4589,17 +4589,16 @@ tcp.flags = RST; > enable for SSL/TLS connections. > </p> > <p> > - Supported protocols include <code>TLSv1</code> (deprecated), > - <code>TLSv1.1</code> (deprecated), <code>TLSv1.2</code> and > + Supported protocols include <code>TLSv1.2</code> and > <code>TLSv1.3</code>. Ranges can be provided in a form of two > protocol > - names separated with a dash (<code>TLSv1.1-TLSv1.2</code>), or as > a > + names separated with a dash (<code>TLSv1.2-TLSv1.3</code>), or as > a > single protocol name with a plus sign (<code>TLSv1.2+</code>). > The > value can be a list of protocols or exactly one range. The range > is a > preferred way of specifying protocols and the configuration always > behaves as if the range between the minimum and the maximum > specified > version is provided, i.e., if the value is set to > - <code>TLSv1.1,TLSv1.3</code>, the <code>TLSv1.2</code> will also > be > - enabled as if it was a range. > + <code>TLSv1.X,TLSv1.(X+2)</code>, the <code>TLSv1.(X+1)</code> > will > + also be enabled as if it was a range. > Regardless of order, the highest protocol supported by both sides > will > be chosen when making the connection. > </p> > @@ -4610,8 +4609,8 @@ tcp.flags = RST; > > <column name="ssl_ciphers"> > List of ciphers (in OpenSSL cipher string format) to be supported > - for SSL/TLS connections with TLSv1.2 and earlier. The default when > this > - option is omitted is <code>DEFAULT:@SECLEVEL=2</code>. > + for SSL/TLS connections with TLSv1.2. The default when this option > + is omitted is <code>DEFAULT:@SECLEVEL=2</code>. > </column> > > <column name="ssl_ciphersuites"> > -- > 2.49.0 > > _______________________________________________ > dev mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > Looks good to me, thanks. Acked-by: Ales Musil <[email protected]> _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
