diff mbox series

[ovs-dev,1/2] fix segfault due to ssl-ciphers

Message ID 20240111080557.54577-1-amginwal@gmail.com
State Superseded
Headers show
Series [ovs-dev,1/2] fix segfault due to ssl-ciphers | expand

Commit Message

aginwala aginwala Jan. 11, 2024, 8:05 a.m. UTC 
From: Aliasgar Ginwala <aginwala@ebay.com>

To avoid invalidating existing certs setup by old version of ovs pki.
openssl supports setting ciphers but it fails with ovn as below
ovn-controller --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1'
Aborted (core dumped)

Avoid invalidating existing certs when bumping to new ovn version
SSL_connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed while connecting to control plane.

Also amend ovn ic northd and ovn ctl utilities

Signed-off-by: Aliasgar Ginwala <aginwala@ebay.com>
---
 controller/ovn-controller.c | 7 +++++++
 ic/ovn-ic.c                 | 8 ++++++++
 northd/ovn-northd.c         | 8 ++++++++
 utilities/ovn-dbctl.c       | 8 ++++++++
 4 files changed, 31 insertions(+)
diff mbox series

Patch

diff --git a/controller/ovn-controller.c b/controller/ovn-controller.c
index 856e5e270..4b16818a6 100644
--- a/controller/ovn-controller.c
+++ b/controller/ovn-controller.c
@@ -6166,6 +6166,13 @@  parse_options(int argc, char *argv[])
             ssl_ca_cert_file = optarg;
             break;
 
+        case OPT_SSL_PROTOCOLS:
+            stream_ssl_set_protocols(optarg);
+            break;
+
+        case OPT_SSL_CIPHERS:
+            stream_ssl_set_ciphers(optarg);
+            break;
 
         case OPT_PEER_CA_CERT:
             stream_ssl_set_peer_ca_cert_file(optarg);
diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c
index 8ceb34d7c..6f8f5734d 100644
--- a/ic/ovn-ic.c
+++ b/ic/ovn-ic.c
@@ -1846,6 +1846,14 @@  parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED)
             ssl_ca_cert_file = optarg;
             break;
 
+        case OPT_SSL_PROTOCOLS:
+            stream_ssl_set_protocols(optarg);
+            break;
+
+        case OPT_SSL_CIPHERS:
+            stream_ssl_set_ciphers(optarg);
+            break;
+
         case 'd':
             ovnsb_db = optarg;
             break;
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index f3868068d..dadc1af38 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -611,6 +611,14 @@  parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED,
             ssl_ca_cert_file = optarg;
             break;
 
+        case OPT_SSL_PROTOCOLS:
+            stream_ssl_set_protocols(optarg);
+            break;
+
+        case OPT_SSL_CIPHERS:
+            stream_ssl_set_ciphers(optarg);
+            break;
+
         case 'd':
             ovnsb_db = optarg;
             break;
diff --git a/utilities/ovn-dbctl.c b/utilities/ovn-dbctl.c
index 2e9348c47..92be27b2c 100644
--- a/utilities/ovn-dbctl.c
+++ b/utilities/ovn-dbctl.c
@@ -610,6 +610,14 @@  apply_options_direct(const struct ovn_dbctl_options *dbctl_options,
             ssl_ca_cert_file = optarg;
             break;
 
+        case OPT_SSL_PROTOCOLS:
+            stream_ssl_set_protocols(optarg);
+            break;
+
+        case OPT_SSL_CIPHERS:
+            stream_ssl_set_ciphers(optarg);
+            break;
+
         case OPT_BOOTSTRAP_CA_CERT:
             stream_ssl_set_ca_cert_file(po->arg, true);
             break;