2012/11/8 Simon Horman <[email protected]>:
> On Thu, Nov 08, 2012 at 12:15:44PM +0900, OHMURA Kei wrote:
>> 2012/11/8 Simon Horman <[email protected]>:
>> > On Thu, Nov 08, 2012 at 07:01:45AM +0900, OHMURA Kei wrote:
>> >> 2012/11/7 FUJITA Tomonori <[email protected]>:
>> >> > On Wed, 7 Nov 2012 21:25:43 +0900
>> >> > OHMURA Kei <[email protected]> wrote:
>> >> >
>> >> >> We should support SSL/TLS to encrypt OF channel. This patch only
>> >> >> support self-signed certificates. (see the "INSTALL.SSL" in Open
>> >> >> vSwitch
>> >> >> source code)
>> >> >>
>> >> >> Signed-off-by: OHMURA Kei <[email protected]>
>> >> >> ---
>> >> >> ryu/controller/controller.py | 20 +++++++++++++++++---
>> >> >> 1 file changed, 17 insertions(+), 3 deletions(-)
>> >> >>
>> >> >> diff --git a/ryu/controller/controller.py
>> >> >> b/ryu/controller/controller.py
>> >> >> index dd5f16b..2953a86 100644
>> >> >> --- a/ryu/controller/controller.py
>> >> >> +++ b/ryu/controller/controller.py
>> >> >> @@ -21,6 +21,7 @@ import gevent
>> >> >> import traceback
>> >> >> import random
>> >> >> import greenlet
>> >> >> +import ssl
>> >> >> from gevent.server import StreamServer
>> >> >> from gevent.queue import Queue
>> >> >>
>> >> >> @@ -42,6 +43,10 @@ FLAGS = gflags.FLAGS
>> >> >> gflags.DEFINE_string('ofp_listen_host', '', 'openflow listen host')
>> >> >> gflags.DEFINE_integer('ofp_tcp_listen_port',
>> >> >> ofproto_common.OFP_TCP_PORT,
>> >> >> 'openflow tcp listen port')
>> >> >> +gflags.DEFINE_integer('ofp_ssl_listen_port',
>> >> >> ofproto_common.OFP_SSL_PORT,
>> >> >> + 'openflow ssl listen port')
>> >> >> +gflags.DEFINE_string('ctl_privkey', None, 'controller private key')
>> >> >> +gflags.DEFINE_string('ctl_cert', None, 'controller certificate')
>> >> >>
>> >> >>
>> >> >> class OpenFlowController(object):
>> >> >> @@ -54,9 +59,18 @@ class OpenFlowController(object):
>> >> >> self.server_loop()
>> >> >>
>> >> >> def server_loop(self):
>> >> >> - server = StreamServer((FLAGS.ofp_listen_host,
>> >> >> - FLAGS.ofp_tcp_listen_port),
>> >> >> - datapath_connection_factory)
>> >> >> + if FLAGS.ctl_privkey and FLAGS.ctl_cert is not None:
>> >> >> + server = StreamServer((FLAGS.ofp_listen_host,
>> >> >> + FLAGS.ofp_ssl_listen_port),
>> >> >> + datapath_connection_factory,
>> >> >> + keyfile=FLAGS.ctl_privkey,
>> >> >> + certfile=FLAGS.ctl_cert,
>> >> >> + ssl_version=ssl.PROTOCOL_TLSv1)
>> >> >
>> >> > Needs to specify the ssl version?
>> >>
>> >> Oops, I forgot to remove it. I confirmed that this patch worked
>> >> correct without specifying it.
>> >
>> > Personally I think we should disallow SSLv2 as its broken.
>>
>> Thank you for your comment. Server uses the SSLv23 by default, when we
>> don't specify it. SSLv23 allows all SSL/TLS versions. We need to
>> specify the SSL version like this patch, right?
>
> Its been a little while since I did work on this area.
> But yes, I think we should specify that SSLv3 or any
> version of TLS is acceptable. Or in other words SSLv3 or newer.
Does OVS support SSLv3? When I tried it, following error occurred.
--
SLError: [Errno 1] _ssl.c:504: error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
<Greenlet at 0x25c7958: <bound method
StreamServer.wrap_socket_and_handle of <StreamServer at 0x274f290
fileno=3 address=0.0.0.0:6633
handle=datapath_connection_factory>>(<socket at 0x274f3d0 fileno=4
sock=127.0.0.1:6633>, ('127.0.0.1', 54452))> failed with SSLError
--
> I think that only very ancient code only supports SSLv2
> and it is really no better than plantext.
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_nov
_______________________________________________
Ryu-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/ryu-devel
