diff mbox series

[ovs-dev,v2] stream-ssl: Define SSL_OP_NO_SSL_MASK for OpenSSL versions that lack it.

Message ID 20180806223944.4630-1-blp@ovn.org
State Accepted
Headers show
Series [ovs-dev,v2] stream-ssl: Define SSL_OP_NO_SSL_MASK for OpenSSL versions that lack it. | expand

Commit Message

Ben Pfaff Aug. 6, 2018, 10:39 p.m. UTC 
10 of the travis builds are failing such as
TESTSUITE=1 KERNEL=3.16.54 for gcc and clang.

Fixes: ab16d2c2871b ("stream-ssl: Don't enable new TLS versions by default")
CC: Timothy Redaelli <tredaelli@redhat.com>
Signed-off-by: Darrell Ball <dlu998@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
---
v1->v2: Add SSL_OP_NO_SSLv2 (thanks Han!).

 lib/stream-ssl.c | 6 ++++++
 1 file changed, 6 insertions(+)

Comments

Han Zhou Aug. 6, 2018, 10:47 p.m. UTC | #1 
On Mon, Aug 6, 2018 at 12:39 PM, Ben Pfaff <blp@ovn.org> wrote:
>
> 10 of the travis builds are failing such as
> TESTSUITE=1 KERNEL=3.16.54 for gcc and clang.
>
> Fixes: ab16d2c2871b ("stream-ssl: Don't enable new TLS versions by
default")
> CC: Timothy Redaelli <tredaelli@redhat.com>
> Signed-off-by: Darrell Ball <dlu998@gmail.com>
> Signed-off-by: Ben Pfaff <blp@ovn.org>
> ---
> v1->v2: Add SSL_OP_NO_SSLv2 (thanks Han!).
>
>  lib/stream-ssl.c | 6 ++++++
>  1 file changed, 6 insertions(+)
>
> diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
> index f3d623c035f8..fed71801b823 100644
> --- a/lib/stream-ssl.c
> +++ b/lib/stream-ssl.c
> @@ -1188,6 +1188,12 @@ stream_ssl_set_protocols(const char *arg)
>      }
>
>      /* Start with all the flags off and turn them on as requested. */
> +#ifndef SSL_OP_NO_SSL_MASK
> +    /* For old OpenSSL without this macro, this is the correct value.  */
> +#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | \
> +                            SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | \
> +                            SSL_OP_NO_TLSv1_2)
> +#endif
>      long protocol_flags = SSL_OP_NO_SSL_MASK;
>
>      char *s = xstrdup(arg);
> --
> 2.16.1
>
> _______________________________________________
> dev mailing list
> dev@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Acked-by: Han Zhou <hzhou8@ebay.com>
Ben Pfaff Aug. 6, 2018, 10:53 p.m. UTC | #2 
On Mon, Aug 06, 2018 at 12:47:39PM -1000, Han Zhou wrote:
> On Mon, Aug 6, 2018 at 12:39 PM, Ben Pfaff <blp@ovn.org> wrote:
> >
> > 10 of the travis builds are failing such as
> > TESTSUITE=1 KERNEL=3.16.54 for gcc and clang.
> >
> > Fixes: ab16d2c2871b ("stream-ssl: Don't enable new TLS versions by
> default")
> > CC: Timothy Redaelli <tredaelli@redhat.com>
> > Signed-off-by: Darrell Ball <dlu998@gmail.com>
> > Signed-off-by: Ben Pfaff <blp@ovn.org>
> > ---
> > v1->v2: Add SSL_OP_NO_SSLv2 (thanks Han!).
> >
> >  lib/stream-ssl.c | 6 ++++++
> >  1 file changed, 6 insertions(+)
> >
> > diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
> > index f3d623c035f8..fed71801b823 100644
> > --- a/lib/stream-ssl.c
> > +++ b/lib/stream-ssl.c
> > @@ -1188,6 +1188,12 @@ stream_ssl_set_protocols(const char *arg)
> >      }
> >
> >      /* Start with all the flags off and turn them on as requested. */
> > +#ifndef SSL_OP_NO_SSL_MASK
> > +    /* For old OpenSSL without this macro, this is the correct value.  */
> > +#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | \
> > +                            SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | \
> > +                            SSL_OP_NO_TLSv1_2)
> > +#endif
> >      long protocol_flags = SSL_OP_NO_SSL_MASK;
> >
> >      char *s = xstrdup(arg);
> > --
> > 2.16.1
> >
> > _______________________________________________
> > dev mailing list
> > dev@openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> 
> Acked-by: Han Zhou <hzhou8@ebay.com>

Thanks.

Darrell, does this make sense to you?
Darrell Ball Aug. 6, 2018, 11:07 p.m. UTC | #3 
On Mon, Aug 6, 2018 at 3:53 PM, Ben Pfaff <blp@ovn.org> wrote:

> On Mon, Aug 06, 2018 at 12:47:39PM -1000, Han Zhou wrote:
> > On Mon, Aug 6, 2018 at 12:39 PM, Ben Pfaff <blp@ovn.org> wrote:
> > >
> > > 10 of the travis builds are failing such as
> > > TESTSUITE=1 KERNEL=3.16.54 for gcc and clang.
> > >
> > > Fixes: ab16d2c2871b ("stream-ssl: Don't enable new TLS versions by
> > default")
> > > CC: Timothy Redaelli <tredaelli@redhat.com>
> > > Signed-off-by: Darrell Ball <dlu998@gmail.com>
> > > Signed-off-by: Ben Pfaff <blp@ovn.org>
> > > ---
> > > v1->v2: Add SSL_OP_NO_SSLv2 (thanks Han!).
> > >
> > >  lib/stream-ssl.c | 6 ++++++
> > >  1 file changed, 6 insertions(+)
> > >
> > > diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
> > > index f3d623c035f8..fed71801b823 100644
> > > --- a/lib/stream-ssl.c
> > > +++ b/lib/stream-ssl.c
> > > @@ -1188,6 +1188,12 @@ stream_ssl_set_protocols(const char *arg)
> > >      }
> > >
> > >      /* Start with all the flags off and turn them on as requested. */
> > > +#ifndef SSL_OP_NO_SSL_MASK
> > > +    /* For old OpenSSL without this macro, this is the correct
> value.  */
> > > +#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | \
> > > +                            SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | \
> > > +                            SSL_OP_NO_TLSv1_2)
> > > +#endif
> > >      long protocol_flags = SSL_OP_NO_SSL_MASK;
> > >
> > >      char *s = xstrdup(arg);
> > > --
> > > 2.16.1
> > >
> > > _______________________________________________
> > > dev mailing list
> > > dev@openvswitch.org
> > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> >
> > Acked-by: Han Zhou <hzhou8@ebay.com>
>
> Thanks.
>
> Darrell, does this make sense to you?
>


It looks fine and works locally; assuming you checked Travis (which I
expect should be fixed)
Acked-by: Darrell Ball <dlu998@gmail.com>
Ben Pfaff Aug. 6, 2018, 11:28 p.m. UTC | #4 
On Mon, Aug 06, 2018 at 04:07:03PM -0700, Darrell Ball wrote:
> On Mon, Aug 6, 2018 at 3:53 PM, Ben Pfaff <blp@ovn.org> wrote:
> 
> > On Mon, Aug 06, 2018 at 12:47:39PM -1000, Han Zhou wrote:
> > > On Mon, Aug 6, 2018 at 12:39 PM, Ben Pfaff <blp@ovn.org> wrote:
> > > >
> > > > 10 of the travis builds are failing such as
> > > > TESTSUITE=1 KERNEL=3.16.54 for gcc and clang.
> > > >
> > > > Fixes: ab16d2c2871b ("stream-ssl: Don't enable new TLS versions by
> > > default")
> > > > CC: Timothy Redaelli <tredaelli@redhat.com>
> > > > Signed-off-by: Darrell Ball <dlu998@gmail.com>
> > > > Signed-off-by: Ben Pfaff <blp@ovn.org>
> > > > ---
> > > > v1->v2: Add SSL_OP_NO_SSLv2 (thanks Han!).
> > > >
> > > >  lib/stream-ssl.c | 6 ++++++
> > > >  1 file changed, 6 insertions(+)
> > > >
> > > > diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
> > > > index f3d623c035f8..fed71801b823 100644
> > > > --- a/lib/stream-ssl.c
> > > > +++ b/lib/stream-ssl.c
> > > > @@ -1188,6 +1188,12 @@ stream_ssl_set_protocols(const char *arg)
> > > >      }
> > > >
> > > >      /* Start with all the flags off and turn them on as requested. */
> > > > +#ifndef SSL_OP_NO_SSL_MASK
> > > > +    /* For old OpenSSL without this macro, this is the correct
> > value.  */
> > > > +#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | \
> > > > +                            SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | \
> > > > +                            SSL_OP_NO_TLSv1_2)
> > > > +#endif
> > > >      long protocol_flags = SSL_OP_NO_SSL_MASK;
> > > >
> > > >      char *s = xstrdup(arg);
> > > > --
> > > > 2.16.1
> > > >
> > > > _______________________________________________
> > > > dev mailing list
> > > > dev@openvswitch.org
> > > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> > >
> > > Acked-by: Han Zhou <hzhou8@ebay.com>
> >
> > Thanks.
> >
> > Darrell, does this make sense to you?
> >
> 
> 
> It looks fine and works locally; assuming you checked Travis (which I
> expect should be fixed)
> Acked-by: Darrell Ball <dlu998@gmail.com>

Thanks, applied to all affected branches.
Timothy Redaelli Aug. 7, 2018, 9:04 a.m. UTC | #5 
On Mon,  6 Aug 2018 15:39:44 -0700
Ben Pfaff <blp@ovn.org> wrote:

> 10 of the travis builds are failing such as
> TESTSUITE=1 KERNEL=3.16.54 for gcc and clang.
> 
> Fixes: ab16d2c2871b ("stream-ssl: Don't enable new TLS versions by
> default") CC: Timothy Redaelli <tredaelli@redhat.com>
> Signed-off-by: Darrell Ball <dlu998@gmail.com>
> Signed-off-by: Ben Pfaff <blp@ovn.org>
> ---
> v1->v2: Add SSL_OP_NO_SSLv2 (thanks Han!).
> 
>  lib/stream-ssl.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
> index f3d623c035f8..fed71801b823 100644
> --- a/lib/stream-ssl.c
> +++ b/lib/stream-ssl.c
> @@ -1188,6 +1188,12 @@ stream_ssl_set_protocols(const char *arg)
>      }
>  
>      /* Start with all the flags off and turn them on as requested. */
> +#ifndef SSL_OP_NO_SSL_MASK
> +    /* For old OpenSSL without this macro, this is the correct
> value.  */ +#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2 |
> SSL_OP_NO_SSLv3 | \
> +                            SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | \
> +                            SSL_OP_NO_TLSv1_2)
> +#endif
>      long protocol_flags = SSL_OP_NO_SSL_MASK;
>  
>      char *s = xstrdup(arg);

I'm sorry for this, I tested my patch with OpenSSL 1.0.2k (RHEL7) and
OpenSSL 1.1.0h (Fedora 28).

I checked right now and some distributions (for example Ubuntu 14.04)
uses 1.0.1, that doesn't have SSL_OP_NO_SSL_MASK (introduced in 1.0.2,
6 years ago [1]).

Reviewed-by: Timothy Redaelli <tredaelli@redhat.com>

[1]
https://github.com/openssl/openssl/commit/49ef33fa3463d6b6001009024c9aed09f814cb7c#diff-4b59eddb1c722b1dc3d17b5f64149e12R620
diff mbox series

Patch

diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
index f3d623c035f8..fed71801b823 100644
--- a/lib/stream-ssl.c
+++ b/lib/stream-ssl.c
@@ -1188,6 +1188,12 @@  stream_ssl_set_protocols(const char *arg)
     }
 
     /* Start with all the flags off and turn them on as requested. */
+#ifndef SSL_OP_NO_SSL_MASK
+    /* For old OpenSSL without this macro, this is the correct value.  */
+#define SSL_OP_NO_SSL_MASK (SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | \
+                            SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1 | \
+                            SSL_OP_NO_TLSv1_2)
+#endif
     long protocol_flags = SSL_OP_NO_SSL_MASK;
 
     char *s = xstrdup(arg);