From patchwork Tue Feb 27 22:35:44 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: aginwala aginwala <amginwal@gmail.com>
X-Patchwork-Id: 1905471
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20230601 header.b=ZVMFEmHr;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=140.211.166.133; helo=smtp2.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)
Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4TkslF2lrFz1yX0
	for <incoming@patchwork.ozlabs.org>; Wed, 28 Feb 2024 09:35:53 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp2.osuosl.org (Postfix) with ESMTP id 8A46941491;
	Tue, 27 Feb 2024 22:35:51 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp2.osuosl.org ([127.0.0.1])
	by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id xfftzSsDY6IA; Tue, 27 Feb 2024 22:35:50 +0000 (UTC)
X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56;
 helo=lists.linuxfoundation.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 371A34012E
Authentication-Results: smtp2.osuosl.org;
	dkim=fail reason="signature verification failed" (2048-bit key)
 header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601
 header.b=ZVMFEmHr
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by smtp2.osuosl.org (Postfix) with ESMTPS id 371A34012E;
	Tue, 27 Feb 2024 22:35:50 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id 23E9FC0072;
	Tue, 27 Feb 2024 22:35:50 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 1ABC4C0037
 for <dev@openvswitch.org>; Tue, 27 Feb 2024 22:35:49 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp1.osuosl.org (Postfix) with ESMTP id F248A814B5
 for <dev@openvswitch.org>; Tue, 27 Feb 2024 22:35:48 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp1.osuosl.org ([127.0.0.1])
 by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id GDiGIhHrNFDV for <dev@openvswitch.org>;
 Tue, 27 Feb 2024 22:35:48 +0000 (UTC)
Received-SPF: Pass (mailfrom) identity=mailfrom;
 client-ip=2607:f8b0:4864:20::1029; helo=mail-pj1-x1029.google.com;
 envelope-from=amginwal@gmail.com; receiver=<UNKNOWN>
DMARC-Filter: OpenDMARC Filter v1.4.2 smtp1.osuosl.org 565B581462
Authentication-Results: smtp1.osuosl.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 565B581462
Authentication-Results: smtp1.osuosl.org;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.a=rsa-sha256 header.s=20230601 header.b=ZVMFEmHr
Received: from mail-pj1-x1029.google.com (mail-pj1-x1029.google.com
 [IPv6:2607:f8b0:4864:20::1029])
 by smtp1.osuosl.org (Postfix) with ESMTPS id 565B581462
 for <dev@openvswitch.org>; Tue, 27 Feb 2024 22:35:48 +0000 (UTC)
Received: by mail-pj1-x1029.google.com with SMTP id
 98e67ed59e1d1-299e4b352cdso3608448a91.0
 for <dev@openvswitch.org>; Tue, 27 Feb 2024 14:35:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1709073347; x=1709678147; darn=openvswitch.org;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=rw0MYSWIoGJnSY5DKo1uFm2DLWetpNn9/9Nh4YW7ajE=;
 b=ZVMFEmHrtd+5AJFxQN/RST9pBCYEuDjq4j3rclpsORJ22VAei54ve6bxOecmIa9a2T
 tZOPGKK643fl/cIAxwG0ykNzeUjrS42Pg6FjLwJK9OKIdUegUhjVsyTbl0DMfKubGXjk
 LEjrdAWvCH3TDsuB0WILrS+9XaqKInfwSOqDAuKb7x/bLjzh9CZrKXwwMJLMkSYDx9sx
 +Mw9fSt/x45/1A8Z+yxWTM03fr4R1u3dFDcxnkhhniq0YbihlOARYx24ELtjWg3YbOY6
 1B6OG3DXs64G9z7WUc8ivbYZOPEbahw5XiZ0IxtNgePdMxT+73TMwZsdVBhygRbvTrYc
 8Rjg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1709073347; x=1709678147;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=rw0MYSWIoGJnSY5DKo1uFm2DLWetpNn9/9Nh4YW7ajE=;
 b=lkgGPpzyJkNuzmnbyPFB9sMuL4vBhy2UkT3sNehvWkHIo2MXypjgZZN8oIRcOFLRZu
 bQc6SKLYnSFfg+jH6DJtAY2jPZ8fDt8bo70kAxNQLKDLGDfEwS3Clsb041SHTUzzOta2
 TXInRiozD34jnpCQljqhGeBdKBZldVbD4ZNxkSkkKzhZIDVBOJ2b3V5DwzIvR+5pzyCU
 o9ZClPLypfHYSGHgRuiw93hLwDN6hgKAK7zs+J4+nKahOeH6bdFCt4nneuZOzyPK67YO
 2S0zEBYD3trCI1VvWAip0Ie61tvl6Wn6rO/G8355g1R/ygumvJNjDoEQzZPiYqRSeARx
 Qvjw==
X-Gm-Message-State: AOJu0Yy0IbRYYZXqvZGjp8E6KbcHH0yuiqut8gOk3QpqLTBf3BKiRItD
 Xjm1zaC12xOrpZQA0hr9K9q+H/ZC2QJjYR9izyFopfZtihOnJC+XzUMsUIv3
X-Google-Smtp-Source: 
 AGHT+IHhmDgXn2O5VTwnePR+wgbeEazBixhm5zCm4XNCtrw+9jGKDZPk0UIMfgLud8HHMcU/K0+B1w==
X-Received: by 2002:a17:90a:898e:b0:29a:a423:b1bd with SMTP id
 v14-20020a17090a898e00b0029aa423b1bdmr8651257pjn.9.1709073347215;
 Tue, 27 Feb 2024 14:35:47 -0800 (PST)
Received: from T92R2DP9Q1.corp.ebay.com ([216.113.160.77])
 by smtp.gmail.com with ESMTPSA id
 cz13-20020a17090ad44d00b0029ad44cc063sm47842pjb.35.2024.02.27.14.35.46
 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
 Tue, 27 Feb 2024 14:35:46 -0800 (PST)
From: amginwal@gmail.com
To: dev@openvswitch.org
Date: Tue, 27 Feb 2024 14:35:44 -0800
Message-Id: <20240227223544.51174-1-amginwal@gmail.com>
X-Mailer: git-send-email 2.39.3 (Apple Git-145)
MIME-Version: 1.0
Cc: Aliasgar Ginwala <aginwala@ebay.com>
Subject: [ovs-dev] [PATCH ovn v2] ovn-ctl: Add ssl-ciphers and protocols
	support.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

From: Aliasgar Ginwala <aginwala@ebay.com>

Signed-off-by: Aliasgar Ginwala <aginwala@ebay.com>
---
 ovs               |  2 +-
 utilities/ovn-ctl | 25 +++++++++++++++++++++++--
 2 files changed, 24 insertions(+), 3 deletions(-)

diff --git a/ovs b/ovs
index fe55ce37a..ec1d73016 160000
--- a/ovs
+++ b/ovs
@@ -1 +1 @@
-Subproject commit fe55ce37a7b090d09dee5c01ae0797320ad678f6
+Subproject commit ec1d730163d984934c467e050ebf6d39f8c09384
diff --git a/utilities/ovn-ctl b/utilities/ovn-ctl
index 50d588358..0d88ee4b2 100755
--- a/utilities/ovn-ctl
+++ b/utilities/ovn-ctl
@@ -185,6 +185,8 @@ start_ovsdb__() {
     local ovn_db_election_timer
     local relay_mode
     local cluster_db_upgrade
+    local ovn_db_ssl_protocols
+    local ovn_db_ssl_ciphers
     eval db_pid_file=\$DB_${DB}_PIDFILE
     eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR
     eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT
@@ -214,6 +216,8 @@ start_ovsdb__() {
     eval relay_mode=\$RELAY_MODE
     eval relay_remote=\$DB_${DB}_REMOTE
     eval cluster_db_upgrade=\$DB_CLUSTER_SCHEMA_UPGRADE
+    eval ovn_db_ssl_protocols=\$OVN_${DB}_DB_SSL_PROTOCOLS
+    eval ovn_db_ssl_ciphers=\$OVN_${DB}_DB_SSL_CIPHERS
 
     ovn_install_dir "$OVN_RUNDIR"
     ovn_install_dir "$ovn_logdir"
@@ -313,8 +317,17 @@ $cluster_remote_port
         set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
     fi
 
-    set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols
-    set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers
+    if test X"$ovn_db_ssl_protocols" != X; then
+        set "$@" --ssl-protocols=$ovn_db_ssl_protocols
+    else
+        set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols
+    fi
+
+    if test X"$ovn_db_ssl_ciphers" != X; then
+        set "$@" --ssl-ciphers=$ovn_db_ssl_ciphers
+    else
+        set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers
+    fi
 
     if test X"$create_insecure_remote" = Xyes; then
         set "$@" --remote=ptcp:$port:$addr
@@ -878,18 +891,26 @@ set_defaults () {
     OVN_NB_DB_SSL_KEY=""
     OVN_NB_DB_SSL_CERT=""
     OVN_NB_DB_SSL_CA_CERT=""
+    OVN_NB_DB_SSL_PROTOCOLS=""
+    OVN_NB_DB_SSL_CIPHERS=""
 
     OVN_SB_DB_SSL_KEY=""
     OVN_SB_DB_SSL_CERT=""
     OVN_SB_DB_SSL_CA_CERT=""
+    OVN_SB_DB_SSL_PROTOCOLS=""
+    OVN_SB_DB_SSL_CIPHERS=""
 
     OVN_IC_NB_DB_SSL_KEY=""
     OVN_IC_NB_DB_SSL_CERT=""
     OVN_IC_NB_DB_SSL_CA_CERT=""
+    OVN_IC_NB_DB_SSL_PROTOCOLS=""
+    OVN_IC_NB_DB_SSL_CIPHERS=""
 
     OVN_IC_SB_DB_SSL_KEY=""
     OVN_IC_SB_DB_SSL_CERT=""
     OVN_IC_SB_DB_SSL_CA_CERT=""
+    OVN_IC_SB_DB_SSL_PROTOCOLS=""
+    OVN_IC_SB_DB_SSL_CIPHERS=""
 
     RELAY_MODE=no
     DB_SB_RELAY_REMOTE=