From patchwork Tue Feb 27 21:37:26 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: aginwala aginwala <amginwal@gmail.com>
X-Patchwork-Id: 1905451
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20230601 header.b=dkpzrk4R;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=140.211.166.138; helo=smtp1.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)
Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4TkrSG6D4Vz1yX0
	for <incoming@patchwork.ozlabs.org>; Wed, 28 Feb 2024 08:37:50 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp1.osuosl.org (Postfix) with ESMTP id A08F380E88;
	Tue, 27 Feb 2024 21:37:48 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp1.osuosl.org ([127.0.0.1])
	by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id l5HuXKsaOSu7; Tue, 27 Feb 2024 21:37:46 +0000 (UTC)
X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56;
 helo=lists.linuxfoundation.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 97E7882206
Authentication-Results: smtp1.osuosl.org;
	dkim=fail reason="signature verification failed" (2048-bit key,
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20230601 header.b=dkpzrk4R
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by smtp1.osuosl.org (Postfix) with ESMTPS id 97E7882206;
	Tue, 27 Feb 2024 21:37:46 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id 5DD17C0077;
	Tue, 27 Feb 2024 21:37:46 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 46D03C0037
 for <dev@openvswitch.org>; Tue, 27 Feb 2024 21:37:45 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp2.osuosl.org (Postfix) with ESMTP id 224D840278
 for <dev@openvswitch.org>; Tue, 27 Feb 2024 21:37:45 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp2.osuosl.org ([127.0.0.1])
 by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 7NvyAf56ZTNy for <dev@openvswitch.org>;
 Tue, 27 Feb 2024 21:37:44 +0000 (UTC)
Received-SPF: Pass (mailfrom) identity=mailfrom;
 client-ip=2607:f8b0:4864:20::62b; helo=mail-pl1-x62b.google.com;
 envelope-from=amginwal@gmail.com; receiver=<UNKNOWN>
DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org 2AD3E40103
Authentication-Results: smtp2.osuosl.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 2AD3E40103
Authentication-Results: smtp2.osuosl.org; dkim=pass (2048-bit key,
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20230601 header.b=dkpzrk4R
Received: from mail-pl1-x62b.google.com (mail-pl1-x62b.google.com
 [IPv6:2607:f8b0:4864:20::62b])
 by smtp2.osuosl.org (Postfix) with ESMTPS id 2AD3E40103
 for <dev@openvswitch.org>; Tue, 27 Feb 2024 21:37:43 +0000 (UTC)
Received: by mail-pl1-x62b.google.com with SMTP id
 d9443c01a7336-1dc1ff697f9so39008655ad.0
 for <dev@openvswitch.org>; Tue, 27 Feb 2024 13:37:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1709069863; x=1709674663; darn=openvswitch.org;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=8R05HAqxAupx9ex743DjuIy/dNouV69CGGONTEfxTS0=;
 b=dkpzrk4RHfzT7/rY0dXhdUw8uGcOTWVl18y2gGc/HhLgvB2MxuH2SJzliXToybItNb
 4mzhONnyauMxeNBCZ4G74WYrXVp1ugewV9xpiv42UG+oppYYnxTkOzzrFBnXioBlpd3F
 rg8XJPq3B/a13ZGiUonprTiOz0SW90JuVHJEFUMeGp20Reywjlneb2AHAFBv+CJRHyjP
 zL/9KFIMrrP9Z9Es2ceogB8Zcw4sWaqMOk3QdMhGTulmUY1gODjWVvKh7OuAwGxhzhO/
 mVYkmHDSow34fekNp+jSBuKHdKRN3hdOnXZHzsiOvUaODGUSLkWFXx6Hp1og9tQvHa4T
 NUmg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1709069863; x=1709674663;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=8R05HAqxAupx9ex743DjuIy/dNouV69CGGONTEfxTS0=;
 b=ap6SbiR4Kt0OCGsbiwWY3RFCIwOEJH3euLDF9WQMDRAYprzyOsYgAH6Qx5vdbY6TLA
 hxQLAO769f7zQaaSfalPtpxqLltgzlY+brnBYEkSErvoPTzqdQgIRtpJ9LW608WBnJ2j
 5+bYp2xQYRnPX6zvnx6Re/Z78BvuKu4YgZbVaGtE8seDsjpBQ6FyANTgRXYJSb6I1ut6
 VYKov5YqyV3xvAyJVUnMX7J+KmmtlxNLp/rfKc/S0I3IO1BSF3Mz8WJBxY9QOifEkTjN
 6q7ln7AN9MkbmeNO2pns4cbM3nePXumtA4NjeVjh8WYNaXfCgPvfP5Yr0+gn+u/3qBJ8
 V7Zg==
X-Gm-Message-State: AOJu0YzqngHB5v8fZQq2A7Rel9PpZ4KD2pMYeQ933MmLkI0tBrRFkoBy
 L9a/NkT34GtAj1aYzzjOsvyagX35OS528YALUM6QB/vMxr+eRf5IjRw59Z4H
X-Google-Smtp-Source: 
 AGHT+IH6Ys7iaTiHyEyXUQwX9P+rCmPmuya0Jdy+hqSbFqNcxDvl2vQloQk/xsBeJyPZ9rHZkrCYvQ==
X-Received: by 2002:a17:902:f688:b0:1dc:3d5:bdcc with SMTP id
 l8-20020a170902f68800b001dc03d5bdccmr13628338plg.42.1709069863040;
 Tue, 27 Feb 2024 13:37:43 -0800 (PST)
Received: from T92R2DP9Q1.corp.ebay.com ([216.113.160.77])
 by smtp.gmail.com with ESMTPSA id
 d5-20020a170902ef0500b001dcc14847e8sm1122889plx.138.2024.02.27.13.37.42
 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
 Tue, 27 Feb 2024 13:37:42 -0800 (PST)
From: amginwal@gmail.com
To: dev@openvswitch.org
Date: Tue, 27 Feb 2024 13:37:26 -0800
Message-Id: <20240227213726.49881-1-amginwal@gmail.com>
X-Mailer: git-send-email 2.39.3 (Apple Git-145)
MIME-Version: 1.0
Cc: Aliasgar Ginwala <aginwala@ebay.com>
Subject: [ovs-dev] [PATCH ovn] ovn-ctl: Add ssl-ciphers and protocols
	support.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

From: Aliasgar Ginwala <aginwala@ebay.com>

Setting up OVN on new kernel bumps openssl version.
Since OVS PKI infrastructure that generated older ssl certs based on
old openssl version, raft fails with error

2024-02-27T19:28:39.673Z|00022|stream_ssl|WARN|SSL_connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

This was missed to set via ovn-ctl utility and hence setting the same.

Signed-off-by: Aliasgar Ginwala <aginwala@ebay.com>
---
 utilities/ovn-ctl | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/utilities/ovn-ctl b/utilities/ovn-ctl
index dc8865abf..3f652af80 100755
--- a/utilities/ovn-ctl
+++ b/utilities/ovn-ctl
@@ -184,6 +184,8 @@ start_ovsdb__() {
     local ovn_db_ssl_cacert
     local ovn_db_election_timer
     local relay_mode
+    local ovn_db_ssl_protocols
+    local ovn_db_ssl_ciphers
     eval db_pid_file=\$DB_${DB}_PIDFILE
     eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR
     eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT
@@ -212,6 +214,8 @@ start_ovsdb__() {
     eval ovn_db_election_timer=\$DB_${DB}_ELECTION_TIMER
     eval relay_mode=\$RELAY_MODE
     eval relay_remote=\$DB_${DB}_REMOTE
+    eval ovn_db_ssl_protocols=\$OVN_${DB}_DB_SSL_PROTOCOLS
+    eval ovn_db_ssl_ciphers=\$OVN_${DB}_DB_SSL_CIPHERS
 
     ovn_install_dir "$OVN_RUNDIR"
     ovn_install_dir "$ovn_logdir"
@@ -311,8 +315,17 @@ $cluster_remote_port
         set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
     fi
 
-    set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols
-    set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers
+    if test X"$ovn_db_ssl_protocols" != X; then
+        set "$@" --ssl-protocols=$ovn_db_ssl_protocols
+    else
+        set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols
+    fi
+
+    if test X"$ovn_db_ssl_ciphers" != X; then
+        set "$@" --ssl-ciphers=$ovn_db_ssl_ciphers
+    else
+        set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers
+    fi
 
     if test X"$create_insecure_remote" = Xyes; then
         set "$@" --remote=ptcp:$port:$addr
@@ -877,18 +890,26 @@ set_defaults () {
     OVN_NB_DB_SSL_KEY=""
     OVN_NB_DB_SSL_CERT=""
     OVN_NB_DB_SSL_CA_CERT=""
+    OVN_NB_DB_SSL_PROTOCOLS=""
+    OVN_NB_DB_SSL_CIPHERS=""
 
     OVN_SB_DB_SSL_KEY=""
     OVN_SB_DB_SSL_CERT=""
     OVN_SB_DB_SSL_CA_CERT=""
+    OVN_SB_DB_SSL_PROTOCOLS=""
+    OVN_SB_DB_SSL_CIPHERS=""
 
     OVN_IC_NB_DB_SSL_KEY=""
     OVN_IC_NB_DB_SSL_CERT=""
     OVN_IC_NB_DB_SSL_CA_CERT=""
+    OVN_IC_NB_DB_SSL_PROTOCOLS=""
+    OVN_IC_NB_DB_SSL_CIPHERS=""
 
     OVN_IC_SB_DB_SSL_KEY=""
     OVN_IC_SB_DB_SSL_CERT=""
     OVN_IC_SB_DB_SSL_CA_CERT=""
+    OVN_IC_SB_DB_SSL_PROTOCOLS=""
+    OVN_IC_SB_DB_SSL_CIPHERS=""
 
     RELAY_MODE=no
     DB_SB_RELAY_REMOTE=