Skip to content

Commit

Permalink
Fix segfault due to ssl-ciphers.
Browse files Browse the repository at this point in the history 
To avoid invalidating existing certs setup by old version of ovs pki.
openssl supports setting ciphers but it fails with ovn as below
ovn-controller --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1'
Aborted (core dumped)

Avoid invalidating existing certs when bumping to new ovn version
SSL_connect: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed while connecting to control plane.

Also amend ovn ic northd and ovn ctl utilities

Add tests for ssl ciphers

Signed-off-by: Aliasgar Ginwala <aginwala@ebay.com>
Acked-by: Ales Musil <amusil@redhat.com>
Signed-off-by: Numan Siddique <numans@ovn.org>
  • Loading branch information
@noah8713 @numansiddique
noah8713 authored and numansiddique committed Jan 24, 2024
1 parent 221476a commit 620203f
Show file tree
Hide file tree
Showing 6 changed files with 233 additions and 0 deletions.
7 changes: 7 additions & 0 deletions controller/ovn-controller.c
View file
Expand Up @@ -6189,6 +6189,13 @@ parse_options(int argc, char *argv[])
ssl_ca_cert_file = optarg;
break;

case OPT_SSL_PROTOCOLS:
stream_ssl_set_protocols(optarg);
break;

case OPT_SSL_CIPHERS:
stream_ssl_set_ciphers(optarg);
break;

case OPT_PEER_CA_CERT:
stream_ssl_set_peer_ca_cert_file(optarg);
Expand Down
8 changes: 8 additions & 0 deletions ic/ovn-ic.c
View file
Expand Up @@ -1846,6 +1846,14 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED)
ssl_ca_cert_file = optarg;
break;

case OPT_SSL_PROTOCOLS:
stream_ssl_set_protocols(optarg);
break;

case OPT_SSL_CIPHERS:
stream_ssl_set_ciphers(optarg);
break;

case 'd':
ovnsb_db = optarg;
break;
Expand Down
8 changes: 8 additions & 0 deletions northd/ovn-northd.c
View file
Expand Up @@ -611,6 +611,14 @@ parse_options(int argc OVS_UNUSED, char *argv[] OVS_UNUSED,
ssl_ca_cert_file = optarg;
break;

case OPT_SSL_PROTOCOLS:
stream_ssl_set_protocols(optarg);
break;

case OPT_SSL_CIPHERS:
stream_ssl_set_ciphers(optarg);
break;

case 'd':
ovnsb_db = optarg;
break;
Expand Down
20 changes: 20 additions & 0 deletions tests/ovn-controller.at
View file
Expand Up @@ -2712,3 +2712,23 @@ AT_CHECK([as hv1 ovs-ofctl dump-flows br-int table=40 | grep -q controller], [1]
OVN_CLEANUP([hv1])
AT_CLEANUP
])

AT_SETUP([ovn-controller - ssl ciphers using command line options])
AT_KEYWORDS([ovn])
AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
ovn_start

net_add n1
sim_add hv1
ovs-vsctl add-br br-phys
ovn_attach n1 br-phys 192.168.0.20

# Set cipher and and it should connect
OVS_APP_EXIT_AND_WAIT([ovn-controller])
start_daemon ovn-controller --ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' --ssl-protocols='TLSv1,TLSv1.1,TLSv1.2'

OVS_WAIT_FOR_OUTPUT([ovn-appctl -t ovn-controller connection-status], [0], [connected
])

OVN_CLEANUP([hv1])
AT_CLEANUP
182 changes: 182 additions & 0 deletions tests/ovn.at
View file
Expand Up @@ -37650,3 +37650,185 @@ OVN_CLEANUP([hv1])

AT_CLEANUP
])

AT_SETUP([read-only sb db:pssl access with ssl-ciphers and ssl-protocols])
AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
PKIDIR="$(cd $abs_top_builddir/tests && pwd)"
AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\"
\\]]"])

: > .$1.db.~lock~
ovsdb-tool create ovn-sb.db "$abs_top_srcdir"/ovn-sb.ovsschema

# Add read-only remote to sb ovsdb-server
AT_CHECK(
[ovsdb-tool transact ovn-sb.db \
['["OVN_Southbound",
{"op": "insert",
"table": "SB_Global",
"row": {
"connections": ["set", [["named-uuid", "xyz"]]]}},
{"op": "insert",
"table": "Connection",
"uuid-name": "xyz",
"row": {"target": "pssl:0:127.0.0.1",
"read_only": true}}]']], [0], [ignore], [ignore])

start_daemon ovsdb-server --remote=punix:ovn-sb.sock \
--remote=db:OVN_Southbound,SB_Global,connections \
--private-key="$PKIDIR/testpki-test2-privkey.pem" \
--certificate="$PKIDIR/testpki-test2-cert.pem" \
--ca-cert="$PKIDIR/testpki-cacert.pem" \
--ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
--ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
ovn-sb.db

PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])

# read-only accesses should succeed
AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
--private-key=$PKIDIR/testpki-test-privkey.pem \
--certificate=$PKIDIR/testpki-test-cert.pem \
--ca-cert=$PKIDIR/testpki-cacert.pem \
--ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
--ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
list SB_Global], [0], [stdout], [ignore])
AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
--private-key=$PKIDIR/testpki-test-privkey.pem \
--certificate=$PKIDIR/testpki-test-cert.pem \
--ca-cert=$PKIDIR/testpki-cacert.pem \
--ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
--ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
list Connection], [0], [stdout], [ignore])

# write access should fail
AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
--private-key=$PKIDIR/testpki-test-privkey.pem \
--certificate=$PKIDIR/testpki-test-cert.pem \
--ca-cert=$PKIDIR/testpki-cacert.pem \
--ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
--ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
chassis-add ch vxlan 1.2.4.8], [1], [ignore],
[ovn-sbctl: transaction error: {"details":"insert operation not allowed when database server is in read only mode","error":"not allowed"}
])

OVS_APP_EXIT_AND_WAIT([ovsdb-server])
AT_CLEANUP

AT_SETUP([nb connection/ssl commands with ssl-ciphers and ssl-protocols])
AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
PKIDIR="$(cd $abs_top_builddir/tests && pwd)"
AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\"
\\]]"])

: > .$1.db.~lock~
ovsdb-tool create ovn-nb.db "$abs_top_srcdir"/ovn-nb.ovsschema

# Start nb db server using db connection/ssl entries (unpopulated initially)
start_daemon ovsdb-server --remote=punix:ovnnb_db.sock \
--remote=db:OVN_Northbound,NB_Global,connections \
--private-key=db:OVN_Northbound,SSL,private_key \
--certificate=db:OVN_Northbound,SSL,certificate \
--ca-cert=db:OVN_Northbound,SSL,ca_cert \
--ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
--ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
ovn-nb.db

# Populate SSL configuration entries in nb db
AT_CHECK(
[ovn-nbctl set-ssl $PKIDIR/testpki-test-privkey.pem \
$PKIDIR/testpki-test-cert.pem \
$PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore])

# Populate a passive SSL connection in nb db
AT_CHECK([ovn-nbctl set-connection pssl:0:127.0.0.1], [0], [stdout], [ignore])

PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])

# Verify SSL connetivity to nb db server
AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
--private-key=$PKIDIR/testpki-test-privkey.pem \
--certificate=$PKIDIR/testpki-test-cert.pem \
--ca-cert=$PKIDIR/testpki-cacert.pem \
--ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
--ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
list NB_Global],
[0], [stdout], [ignore])
AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
--private-key=$PKIDIR/testpki-test-privkey.pem \
--certificate=$PKIDIR/testpki-test-cert.pem \
--ca-cert=$PKIDIR/testpki-cacert.pem \
--ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
--ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
list Connection],
[0], [stdout], [ignore])
AT_CHECK([ovn-nbctl --db=ssl:127.0.0.1:$TCP_PORT \
--private-key=$PKIDIR/testpki-test-privkey.pem \
--certificate=$PKIDIR/testpki-test-cert.pem \
--ca-cert=$PKIDIR/testpki-cacert.pem \
--ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
--ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
get-connection],
[0], [stdout], [ignore])

OVS_APP_EXIT_AND_WAIT([ovsdb-server])
AT_CLEANUP

AT_SETUP([sb connection/ssl commands with ssl-ciphers and ssl-protocols])
AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
PKIDIR="$(cd $abs_top_builddir/tests && pwd)"
AT_SKIP_IF([expr "$PKIDIR" : ".*[[ '\"
\\]]"])

: > .$1.db.~lock~
ovsdb-tool create ovn-sb.db "$abs_top_srcdir"/ovn-sb.ovsschema

# Start sb db server using db connection/ssl entries (unpopulated initially)
start_daemon ovsdb-server --remote=punix:ovnsb_db.sock \
--remote=db:OVN_Southbound,SB_Global,connections \
--private-key=db:OVN_Southbound,SSL,private_key \
--certificate=db:OVN_Southbound,SSL,certificate \
--ca-cert=db:OVN_Southbound,SSL,ca_cert \
--ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
--ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
ovn-sb.db

# Populate SSL configuration entries in sb db
AT_CHECK(
[ovn-sbctl set-ssl $PKIDIR/testpki-test-privkey.pem \
$PKIDIR/testpki-test-cert.pem \
$PKIDIR/testpki-cacert.pem], [0], [stdout], [ignore])

# Populate a passive SSL connection in sb db
AT_CHECK([ovn-sbctl set-connection pssl:0:127.0.0.1], [0], [stdout], [ignore])

PARSE_LISTENING_PORT([ovsdb-server.log], [TCP_PORT])

# Verify SSL connetivity to sb db server
AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
--private-key=$PKIDIR/testpki-test-privkey.pem \
--certificate=$PKIDIR/testpki-test-cert.pem \
--ca-cert=$PKIDIR/testpki-cacert.pem \
--ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
--ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
list SB_Global],
[0], [stdout], [ignore])
AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
--private-key=$PKIDIR/testpki-test-privkey.pem \
--certificate=$PKIDIR/testpki-test-cert.pem \
--ca-cert=$PKIDIR/testpki-cacert.pem \
--ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
--ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
list Connection],
[0], [stdout], [ignore])
AT_CHECK([ovn-sbctl --db=ssl:127.0.0.1:$TCP_PORT \
--private-key=$PKIDIR/testpki-test-privkey.pem \
--certificate=$PKIDIR/testpki-test-cert.pem \
--ca-cert=$PKIDIR/testpki-cacert.pem \
--ssl-ciphers='HIGH:!aNULL:!MD5:@SECLEVEL=1' \
--ssl-protocols='TLSv1,TLSv1.1,TLSv1.2' \
get-connection],
[0], [stdout], [ignore])

OVS_APP_EXIT_AND_WAIT([ovsdb-server])
AT_CLEANUP
8 changes: 8 additions & 0 deletions utilities/ovn-dbctl.c
View file
Expand Up @@ -610,6 +610,14 @@ apply_options_direct(const struct ovn_dbctl_options *dbctl_options,
ssl_ca_cert_file = optarg;
break;

case OPT_SSL_PROTOCOLS:
stream_ssl_set_protocols(optarg);
break;

case OPT_SSL_CIPHERS:
stream_ssl_set_ciphers(optarg);
break;

case OPT_BOOTSTRAP_CA_CERT:
stream_ssl_set_ca_cert_file(po->arg, true);
break;
Expand Down

0 comments on commit 620203f

Please sign in to comment.