From patchwork Tue Feb 27 23:29:22 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: aginwala aginwala <amginwal@gmail.com>
X-Patchwork-Id: 1905503
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20230601 header.b=lfkZAbaQ;
	dkim-atps=neutral
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org)
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4Tktx95vwMz23d3
	for <incoming@patchwork.ozlabs.org>; Wed, 28 Feb 2024 10:29:32 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp4.osuosl.org (Postfix) with ESMTP id 2EC3D415D3;
	Tue, 27 Feb 2024 23:29:29 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp4.osuosl.org ([127.0.0.1])
	by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id qmop-tXqVtJo; Tue, 27 Feb 2024 23:29:28 +0000 (UTC)
X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56;
 helo=lists.linuxfoundation.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 28AB54158F
Authentication-Results: smtp4.osuosl.org;
	dkim=fail reason="signature verification failed" (2048-bit key,
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20230601 header.b=lfkZAbaQ
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by smtp4.osuosl.org (Postfix) with ESMTPS id 28AB54158F;
	Tue, 27 Feb 2024 23:29:28 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id EC7DEC0077;
	Tue, 27 Feb 2024 23:29:27 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 3A82AC0037
 for <dev@openvswitch.org>; Tue, 27 Feb 2024 23:29:27 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp2.osuosl.org (Postfix) with ESMTP id 2017D40423
 for <dev@openvswitch.org>; Tue, 27 Feb 2024 23:29:27 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp2.osuosl.org ([127.0.0.1])
 by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id LhlkoshBm79m for <dev@openvswitch.org>;
 Tue, 27 Feb 2024 23:29:26 +0000 (UTC)
Received-SPF: Pass (mailfrom) identity=mailfrom;
 client-ip=2607:f8b0:4864:20::631; helo=mail-pl1-x631.google.com;
 envelope-from=amginwal@gmail.com; receiver=<UNKNOWN>
DMARC-Filter: OpenDMARC Filter v1.4.2 smtp2.osuosl.org 256E94012E
Authentication-Results: smtp2.osuosl.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 256E94012E
Authentication-Results: smtp2.osuosl.org; dkim=pass (2048-bit key,
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20230601 header.b=lfkZAbaQ
Received: from mail-pl1-x631.google.com (mail-pl1-x631.google.com
 [IPv6:2607:f8b0:4864:20::631])
 by smtp2.osuosl.org (Postfix) with ESMTPS id 256E94012E
 for <dev@openvswitch.org>; Tue, 27 Feb 2024 23:29:25 +0000 (UTC)
Received: by mail-pl1-x631.google.com with SMTP id
 d9443c01a7336-1dc91d2384cso26436975ad.1
 for <dev@openvswitch.org>; Tue, 27 Feb 2024 15:29:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=gmail.com; s=20230601; t=1709076565; x=1709681365; darn=openvswitch.org;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=VSP2fFhqWxgC7WudwtS0qqNoVv45KZFhgls2Vvoow6M=;
 b=lfkZAbaQ02Gxz0xJ7o+1WnmdvIRJt5dzQWehZXREIZ8M+PZxepYEtXPqy2g6imkfjG
 gMKbl+pczb0XZ96OB+hZsjHG73FhV9FJKxWtUEY9B8Yg6ju3Uv5SJlF739yvG3LA9RzF
 4bYm5OxWIehTjbJxNILbALo9KEECbxZn1NiiMCF2ZTUCggeAPxESxRrKot5kefTPcex4
 4hgWPoyPxs6JCWn73YtLV9o3hCYAUQerXvvK+AVlNjMNObN77y2Zq5k5lqNKdoJPhZxx
 qAqb3OxS1AIa7WDlI2LaCNRpMLN7599PnQWQ5C7eVMtfZlEYN8uPj9vONExfThYuKIKn
 Jwew==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1709076565; x=1709681365;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=VSP2fFhqWxgC7WudwtS0qqNoVv45KZFhgls2Vvoow6M=;
 b=nxjnTdh0l+onlUwlHws1Bc/oWie73UIUmuD22bDJ67c94HFRU6uRgKicen3NqsNhpb
 apG5tuoHIZCV5jo7ct/Gph7zX2gNjgXSL76yuQ9ZxEQtUVSY05e7pRNumUmKVMJoHeaM
 wObUSUdXnrIRxyouVz3CaowRfaSGRKg3rdJEWYGmhh2BREsEicEEeJjsaOXaU+xXqj+y
 eQjHA7XZsqXAsrIuL7U5hKjgiaNrsmg8maOjYs+d6qw72t+8nc5DWH9TGCw9+JwpaQFj
 27/cBIHehV6W7ahLVQwF9se0j66RoKx70ecU8nSjFHOOrsVWCq996frDhaROdcDZlVYg
 cEJw==
X-Gm-Message-State: AOJu0YxehHbbRpb0gViGtM+dcINBpxgOS3Zf3a7ZAemwFZ4LZceqXkpw
 KQ7dDh30mZN2BF6Gnm2Sbj8yb6c/xv1dR98GAzkrZt8bjw9ivptix/lyKHtK
X-Google-Smtp-Source: 
 AGHT+IEoo43Q5jWxjsW0Y3GzWDeiim52iRkPuJeLTNjLzB5lFwxw7sB62cHaAZX5xYnRQ603rT2H7A==
X-Received: by 2002:a17:903:2342:b0:1db:b5c3:d2b2 with SMTP id
 c2-20020a170903234200b001dbb5c3d2b2mr14689034plh.57.1709076565080;
 Tue, 27 Feb 2024 15:29:25 -0800 (PST)
Received: from T92R2DP9Q1.corp.ebay.com ([216.113.160.77])
 by smtp.gmail.com with ESMTPSA id
 jg19-20020a17090326d300b001d9ef7f4bfdsm2047195plb.164.2024.02.27.15.29.24
 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
 Tue, 27 Feb 2024 15:29:24 -0800 (PST)
From: amginwal@gmail.com
To: dev@openvswitch.org
Date: Tue, 27 Feb 2024 15:29:22 -0800
Message-Id: <20240227232922.52055-1-amginwal@gmail.com>
X-Mailer: git-send-email 2.39.3 (Apple Git-145)
MIME-Version: 1.0
Cc: Aliasgar Ginwala <aginwala@ebay.com>
Subject: [ovs-dev] [PATCH ovn v3] ovn-ctl: Add ssl-ciphers and protocols
	support.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

From: Aliasgar Ginwala <aginwala@ebay.com>

Setting up OVN on new kernel bumps openssl version.
Since OVS PKI infrastructure that generated older ssl certs based on
old openssl version, raft fails with error

2024-02-27T19:28:39.673Z|00022|stream_ssl|WARN|SSL_connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed

This was missed to set via ovn-ctl utility and hence setting the same.

Signed-off-by: Aliasgar Ginwala <aginwala@ebay.com>
---
 utilities/ovn-ctl | 25 +++++++++++++++++++++++--
 1 file changed, 23 insertions(+), 2 deletions(-)

diff --git a/utilities/ovn-ctl b/utilities/ovn-ctl
index 50d588358..0d88ee4b2 100755
--- a/utilities/ovn-ctl
+++ b/utilities/ovn-ctl
@@ -185,6 +185,8 @@ start_ovsdb__() {
     local ovn_db_election_timer
     local relay_mode
     local cluster_db_upgrade
+    local ovn_db_ssl_protocols
+    local ovn_db_ssl_ciphers
     eval db_pid_file=\$DB_${DB}_PIDFILE
     eval cluster_local_addr=\$DB_${DB}_CLUSTER_LOCAL_ADDR
     eval cluster_local_port=\$DB_${DB}_CLUSTER_LOCAL_PORT
@@ -214,6 +216,8 @@ start_ovsdb__() {
     eval relay_mode=\$RELAY_MODE
     eval relay_remote=\$DB_${DB}_REMOTE
     eval cluster_db_upgrade=\$DB_CLUSTER_SCHEMA_UPGRADE
+    eval ovn_db_ssl_protocols=\$OVN_${DB}_DB_SSL_PROTOCOLS
+    eval ovn_db_ssl_ciphers=\$OVN_${DB}_DB_SSL_CIPHERS
 
     ovn_install_dir "$OVN_RUNDIR"
     ovn_install_dir "$ovn_logdir"
@@ -313,8 +317,17 @@ $cluster_remote_port
         set "$@" --ca-cert=db:$schema_name,SSL,ca_cert
     fi
 
-    set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols
-    set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers
+    if test X"$ovn_db_ssl_protocols" != X; then
+        set "$@" --ssl-protocols=$ovn_db_ssl_protocols
+    else
+        set "$@" --ssl-protocols=db:$schema_name,SSL,ssl_protocols
+    fi
+
+    if test X"$ovn_db_ssl_ciphers" != X; then
+        set "$@" --ssl-ciphers=$ovn_db_ssl_ciphers
+    else
+        set "$@" --ssl-ciphers=db:$schema_name,SSL,ssl_ciphers
+    fi
 
     if test X"$create_insecure_remote" = Xyes; then
         set "$@" --remote=ptcp:$port:$addr
@@ -878,18 +891,26 @@ set_defaults () {
     OVN_NB_DB_SSL_KEY=""
     OVN_NB_DB_SSL_CERT=""
     OVN_NB_DB_SSL_CA_CERT=""
+    OVN_NB_DB_SSL_PROTOCOLS=""
+    OVN_NB_DB_SSL_CIPHERS=""
 
     OVN_SB_DB_SSL_KEY=""
     OVN_SB_DB_SSL_CERT=""
     OVN_SB_DB_SSL_CA_CERT=""
+    OVN_SB_DB_SSL_PROTOCOLS=""
+    OVN_SB_DB_SSL_CIPHERS=""
 
     OVN_IC_NB_DB_SSL_KEY=""
     OVN_IC_NB_DB_SSL_CERT=""
     OVN_IC_NB_DB_SSL_CA_CERT=""
+    OVN_IC_NB_DB_SSL_PROTOCOLS=""
+    OVN_IC_NB_DB_SSL_CIPHERS=""
 
     OVN_IC_SB_DB_SSL_KEY=""
     OVN_IC_SB_DB_SSL_CERT=""
     OVN_IC_SB_DB_SSL_CA_CERT=""
+    OVN_IC_SB_DB_SSL_PROTOCOLS=""
+    OVN_IC_SB_DB_SSL_CIPHERS=""
 
     RELAY_MODE=no
     DB_SB_RELAY_REMOTE=