From patchwork Thu May 4 15:47:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dan Williams X-Patchwork-Id: 1776977 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=XWIHqdG8; dkim-atps=neutral Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4QByrl2khhz213r for ; Fri, 5 May 2023 01:48:05 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 279366163F; Thu, 4 May 2023 15:48:03 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 279366163F Authentication-Results: smtp3.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=XWIHqdG8 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AIaglFueiyiF; Thu, 4 May 2023 15:48:02 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp3.osuosl.org (Postfix) with ESMTPS id 6038661640; Thu, 4 May 2023 15:48:01 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 6038661640 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 48416C0037; Thu, 4 May 2023 15:48:01 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 488B9C002A for ; Thu, 4 May 2023 15:48:00 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 16AE561640 for ; Thu, 4 May 2023 15:48:00 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 16AE561640 X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4L38E0BdcYha for ; Thu, 4 May 2023 15:47:59 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 4D5B06163F Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp3.osuosl.org (Postfix) with ESMTPS id 4D5B06163F for ; Thu, 4 May 2023 15:47:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1683215278; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=75u7n5UFhQXwFz3V5Zpi92ENGXcwyLvRxkjwn3MpTOw=; b=XWIHqdG8Vz/tm/CwOJAQ9Zr+7LnAfEouAWHFNn8O9S8PBfhOqBVOSL9cz04xe5vuJzoe+u jBaNDWtFW8WNdrtOAEdM60rlhDFgJRn70NVvlqFuz+IHMRsOGLAfVxwm7RO7ml5NBztSOK zimSdmqi7RENEbAEBD8xT1SZc6/VmAs= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-638-pN7NUelgMsOMRsF50WmaFw-1; Thu, 04 May 2023 11:47:49 -0400 X-MC-Unique: pN7NUelgMsOMRsF50WmaFw-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 2DB063C184E8 for ; Thu, 4 May 2023 15:47:48 +0000 (UTC) Received: from localhost.localdomain (unknown [10.22.50.11]) by smtp.corp.redhat.com (Postfix) with ESMTP id CC9E210DF8 for ; Thu, 4 May 2023 15:47:47 +0000 (UTC) Message-ID: From: Dan Williams To: dev@openvswitch.org Date: Thu, 04 May 2023 10:47:47 -0500 User-Agent: Evolution 3.46.4 (3.46.4-1.fc37) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.5 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Subject: [ovs-dev] [PATCH] lib/ssl: enable TLSv1.3 if supported by SSL X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" diff --git a/lib/ssl-connect.man b/lib/ssl-connect.man index 6e54f77ef4d5e..896ce79c6378f 100644 --- a/lib/ssl-connect.man +++ b/lib/ssl-connect.man @@ -1,10 +1,12 @@ .IP "\fB\-\-ssl\-protocols=\fIprotocols\fR" Specifies, in a comma- or space-delimited list, the SSL protocols \fB\*(PN\fR will enable for SSL connections. Supported -\fIprotocols\fR include \fBTLSv1\fR, \fBTLSv1.1\fR, and \fBTLSv1.2\fR. -Regardless of order, the highest protocol supported by both sides will -be chosen when making the connection. The default when this option is -omitted is \fBTLSv1,TLSv1.1,TLSv1.2\fR. +\fIprotocols\fR include \fBTLSv1\fR, \fBTLSv1.1\fR, \fBTLSv1.2\fR, and +(if supported by OpenSSL) \fBTLSv1.3\fR. Regardless of order, the +highest protocol supported by both sides will be chosen when making the +connection. The default when this option is omitted is +\fBTLSv1,TLSv1.1,TLSv1.2\fR and when the SSL implementation supports +TLSv1.3, the default also includes \fBTLSv1.3\fR. . .IP "\fB\-\-ssl\-ciphers=\fIciphers\fR" Specifies, in OpenSSL cipher string format, the ciphers \fB\*(PN\fR will diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c index 62da9febb663a..4f053d17dfccc 100644 --- a/lib/stream-ssl.c +++ b/lib/stream-ssl.c @@ -162,9 +162,15 @@ struct ssl_config_file { static struct ssl_config_file private_key; static struct ssl_config_file certificate; static struct ssl_config_file ca_cert; -static char *ssl_protocols = "TLSv1,TLSv1.1,TLSv1.2"; static char *ssl_ciphers = "HIGH:!aNULL:!MD5"; +#define BASE_SSL_PROTOS "TLSv1,TLSv1.1,TLSv1.2" +#ifdef SSL_OP_NO_TLSv1_3 +static char *ssl_protocols = BASE_SSL_PROTOS",TLSv1.3"; +#else +static char *ssl_protocols = BASE_SSL_PROTOS; +#endif + /* Ordinarily, the SSL client and server verify each other's certificates using * a CA certificate. Setting this to false disables this behavior. (This is a * security risk.) */ @@ -1284,6 +1290,10 @@ stream_ssl_set_protocols(const char *arg) on_flag = SSL_OP_NO_TLSv1_1; } else if (!strcasecmp(word, "TLSv1")){ on_flag = SSL_OP_NO_TLSv1; +#ifdef SSL_OP_NO_TLSv1_3 + } else if (!strcasecmp(word, "TLSv1.3")){ + on_flag = SSL_OP_NO_TLSv1_3; +#endif } else { VLOG_ERR("%s: SSL protocol not recognized", word); goto exit;