From 51af591bd37802a286b598ca6f63ced0bd18a673 Mon Sep 17 00:00:00 2001 From: Lance Richardson Date: Wed, 7 Jun 2017 13:35:20 -0400 Subject: ovn: ssl proto/cipher configuration in nb/sb db Add SSL protocol and cipher columns to SSL tables in northbound and southbound databases. Start nb/sb ovsdb-server with command- line options to use these columns. Add support to ovn-nbctl and ovn-sbctl "set-ssl" commands for user-friendly management of these settings. Signed-off-by: Lance Richardson Signed-off-by: Ben Pfaff --- ovn/ovn-nb.ovsschema | 4 +++- ovn/ovn-nb.xml | 11 +++++++++++ ovn/ovn-sb.ovsschema | 4 +++- ovn/ovn-sb.xml | 11 +++++++++++ ovn/utilities/ovn-ctl | 4 ++++ ovn/utilities/ovn-nbctl.8.xml | 4 +++- ovn/utilities/ovn-nbctl.c | 15 ++++++++++++--- ovn/utilities/ovn-sbctl.8.in | 2 +- ovn/utilities/ovn-sbctl.c | 15 ++++++++++++--- tutorial/ovs-sandbox | 4 ++++ 10 files changed, 64 insertions(+), 10 deletions(-) diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema index 86efe8642..c6a1417ff 100644 --- a/ovn/ovn-nb.ovsschema +++ b/ovn/ovn-nb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Northbound", "version": "5.6.0", - "cksum": "1358108512 15019", + "cksum": "2552205612 15123", "tables": { "NB_Global": { "columns": { @@ -287,6 +287,8 @@ "certificate": {"type": "string"}, "ca_cert": {"type": "string"}, "bootstrap_ca_cert": {"type": "boolean"}, + "ssl_protocols": {"type": "string"}, + "ssl_ciphers": {"type": "string"}, "external_ids": {"type": {"key": "string", "value": "string", "min": 0, diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml index eb348fe59..f9e5bfd31 100644 --- a/ovn/ovn-nb.xml +++ b/ovn/ovn-nb.xml @@ -2084,6 +2084,17 @@ CA certificate. It may still be useful for bootstrapping. + + List of SSL protocols to be enabled for SSL connections. The default + when this option is omitted is TLSv1,TLSv1.1,TLSv1.2. + + + + List of ciphers (in OpenSSL cipher string format) to be supported + for SSL connections. The default when this option is omitted is + HIGH:!aNULL:!MD5. + + The overall purpose of these columns is described under Common Columns at the beginning of this document. diff --git a/ovn/ovn-sb.ovsschema b/ovn/ovn-sb.ovsschema index 5d7546bc5..fa5ef1db3 100644 --- a/ovn/ovn-sb.ovsschema +++ b/ovn/ovn-sb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Southbound", "version": "1.12.1", - "cksum": "1914140659 10905", + "cksum": "761192506 11009", "tables": { "SB_Global": { "columns": { @@ -201,6 +201,8 @@ "certificate": {"type": "string"}, "ca_cert": {"type": "string"}, "bootstrap_ca_cert": {"type": "boolean"}, + "ssl_protocols": {"type": "string"}, + "ssl_ciphers": {"type": "string"}, "external_ids": {"type": {"key": "string", "value": "string", "min": 0, diff --git a/ovn/ovn-sb.xml b/ovn/ovn-sb.xml index f3c321222..a0ecd19bd 100644 --- a/ovn/ovn-sb.xml +++ b/ovn/ovn-sb.xml @@ -2779,6 +2779,17 @@ tcp.flags = RST; CA certificate. It may still be useful for bootstrapping. + + List of SSL protocols to be enabled for SSL connections. The default + when this option is omitted is TLSv1,TLSv1.1,TLSv1.2. + + + + List of ciphers (in OpenSSL cipher string format) to be supported + for SSL connections. The default when this option is omitted is + HIGH:!aNULL:!MD5. + + The overall purpose of these columns is described under Common Columns at the beginning of this document. diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl index 026802e46..0b533916d 100755 --- a/ovn/utilities/ovn-ctl +++ b/ovn/utilities/ovn-ctl @@ -108,6 +108,8 @@ start_nb_ovsdb() { set "$@" --private-key=db:OVN_Northbound,SSL,private_key set "$@" --certificate=db:OVN_Northbound,SSL,certificate set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert + set "$@" --ssl-protocols=db:OVN_Northbound,SSL,ssl_protocols + set "$@" --ssl-ciphers=db:OVN_Northbound,SSL,ssl_ciphers if test X"$DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR @@ -141,6 +143,8 @@ start_sb_ovsdb() { set "$@" --private-key=db:OVN_Southbound,SSL,private_key set "$@" --certificate=db:OVN_Southbound,SSL,certificate set "$@" --ca-cert=db:OVN_Southbound,SSL,ca_cert + set "$@" --ssl-protocols=db:OVN_Southbound,SSL,ssl_protocols + set "$@" --ssl-ciphers=db:OVN_Southbound,SSL,ssl_ciphers if test X"$DB_SB_CREATE_INSECURE_REMOTE" = Xyes; then set "$@" --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR diff --git a/ovn/utilities/ovn-nbctl.8.xml b/ovn/utilities/ovn-nbctl.8.xml index adea29a4e..15012af6b 100644 --- a/ovn/utilities/ovn-nbctl.8.xml +++ b/ovn/utilities/ovn-nbctl.8.xml @@ -796,7 +796,9 @@ Deletes the current SSL configuration. -
[--bootstrap] set-ssl private-key certificate ca-cert
+
[--bootstrap] set-ssl + private-key certificate ca-cert + [ssl-protocol-list [ssl-cipher-list]]
Sets the SSL configuration.
diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c index b5143e6ad..bd0160a7e 100644 --- a/ovn/utilities/ovn-nbctl.c +++ b/ovn/utilities/ovn-nbctl.c @@ -430,7 +430,8 @@ Connection commands:\n\ SSL commands:\n\ get-ssl print the SSL configuration\n\ del-ssl delete the SSL configuration\n\ - set-ssl PRIV-KEY CERT CA-CERT set the SSL configuration\n\ + set-ssl PRIV-KEY CERT CA-CERT [SSL-PROTOS [SSL-CIPHERS]] \ +set the SSL configuration\n\ \n\ %s\ \n\ @@ -3069,6 +3070,13 @@ cmd_set_ssl(struct ctl_context *ctx) nbrec_ssl_set_bootstrap_ca_cert(ssl, bootstrap); + if (ctx->argc == 5) { + nbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]); + } else if (ctx->argc == 6) { + nbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]); + nbrec_ssl_set_ssl_ciphers(ssl, ctx->argv[5]); + } + nbrec_nb_global_set_ssl(nb_global, ssl); } @@ -3463,8 +3471,9 @@ static const struct ctl_command_syntax nbctl_commands[] = { /* SSL commands. */ {"get-ssl", 0, 0, "", pre_cmd_get_ssl, cmd_get_ssl, NULL, "", RO}, {"del-ssl", 0, 0, "", pre_cmd_del_ssl, cmd_del_ssl, NULL, "", RW}, - {"set-ssl", 3, 3, "PRIVATE-KEY CERTIFICATE CA-CERT", pre_cmd_set_ssl, - cmd_set_ssl, NULL, "--bootstrap", RW}, + {"set-ssl", 3, 5, + "PRIVATE-KEY CERTIFICATE CA-CERT [SSL-PROTOS [SSL-CIPHERS]]", + pre_cmd_set_ssl, cmd_set_ssl, NULL, "--bootstrap", RW}, {NULL, 0, 0, NULL, NULL, NULL, NULL, "", RO}, }; diff --git a/ovn/utilities/ovn-sbctl.8.in b/ovn/utilities/ovn-sbctl.8.in index 4f8017e7a..ec24da4ee 100644 --- a/ovn/utilities/ovn-sbctl.8.in +++ b/ovn/utilities/ovn-sbctl.8.in @@ -246,7 +246,7 @@ Prints the SSL configuration. .IP "\fBdel\-ssl\fR" Deletes the current SSL configuration. . -.IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR \fIca-cert\fR" +.IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR \fIca-cert\fR [\fIssl-protocol-list\fR [\fIssl-cipher-list\fR]]" Sets the SSL configuration. The \fB\-\-bootstrap\fR option is described below. . diff --git a/ovn/utilities/ovn-sbctl.c b/ovn/utilities/ovn-sbctl.c index 716289e9f..a82b04776 100644 --- a/ovn/utilities/ovn-sbctl.c +++ b/ovn/utilities/ovn-sbctl.c @@ -319,7 +319,8 @@ Connection commands:\n\ SSL commands:\n\ get-ssl print the SSL configuration\n\ del-ssl delete the SSL configuration\n\ - set-ssl PRIV-KEY CERT CA-CERT set the SSL configuration\n\ + set-ssl PRIV-KEY CERT CA-CERT [SSL-PROTOS [SSL-CIPHERS]] \ +set the SSL configuration\n\ \n\ %s\ \n\ @@ -1114,6 +1115,13 @@ cmd_set_ssl(struct ctl_context *ctx) sbrec_ssl_set_bootstrap_ca_cert(ssl, bootstrap); + if (ctx->argc == 5) { + sbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]); + } else if (ctx->argc == 6) { + sbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]); + sbrec_ssl_set_ssl_ciphers(ssl, ctx->argv[5]); + } + sbrec_sb_global_set_ssl(sb_global, ssl); } @@ -1407,8 +1415,9 @@ static const struct ctl_command_syntax sbctl_commands[] = { /* SSL commands. */ {"get-ssl", 0, 0, "", pre_cmd_get_ssl, cmd_get_ssl, NULL, "", RO}, {"del-ssl", 0, 0, "", pre_cmd_del_ssl, cmd_del_ssl, NULL, "", RW}, - {"set-ssl", 3, 3, "PRIVATE-KEY CERTIFICATE CA-CERT", pre_cmd_set_ssl, - cmd_set_ssl, NULL, "--bootstrap", RW}, + {"set-ssl", 3, 5, + "PRIVATE-KEY CERTIFICATE CA-CERT [SSL-PROTOS [SSL-CIPHERS]]", + pre_cmd_set_ssl, cmd_set_ssl, NULL, "--bootstrap", RW}, {NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, RO}, }; diff --git a/tutorial/ovs-sandbox b/tutorial/ovs-sandbox index 3da1c48a5..a03018a68 100755 --- a/tutorial/ovs-sandbox +++ b/tutorial/ovs-sandbox @@ -350,6 +350,8 @@ if $ovn; then --private-key=db:OVN_Northbound,SSL,private_key \ --certificate=db:OVN_Northbound,SSL,certificate \ --ca-cert=db:OVN_Northbound,SSL,ca_cert \ + --ssl-protocols=db:OVN_Northbound,SSL,ssl_protocols \ + --ssl-ciphers=db:OVN_Northbound,SSL,ssl_ciphers \ --remote=punix:"$sandbox"/ovnnb_db.sock $ovsdb_nb_server_args rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \ --pidfile="$sandbox"/ovnsb_db.pid -vconsole:off \ @@ -358,6 +360,8 @@ if $ovn; then --private-key=db:OVN_Southbound,SSL,private_key \ --certificate=db:OVN_Southbound,SSL,certificate \ --ca-cert=db:OVN_Southbound,SSL,ca_cert \ + --ssl-protocols=db:OVN_Southbound,SSL,ssl_protocols \ + --ssl-ciphers=db:OVN_Southbound,SSL,ssl_ciphers \ --remote=punix:"$sandbox"/ovnsb_db.sock $ovsdb_sb_server_args # Start SB back up server rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \ -- cgit v1.2.1