stream-ssl: Remove support for deprecated TLSv1 and TLSv1.1.

igsilya · igsilya · commit 7b4d3137a133 · 2025-02-28T17:19:41.000+01:00
TLSv1 and TLSv1.1 are officially deprecated by RFC 8996 since March of 2021: https://datatracker.ietf.org/doc/rfc8996/ Both protocols should not generally be used (RFC says MUST NOT) and are being actively removed from support by major distributions and libraries. They were deprecated and disabled by default in OVS 3.5 with the following commit: 923a80d ("stream-ssl: Deprecate and disable TLSv1 and TLSv1.1.") It's time to fully remove the support for these protocols. Some infrastructure and parts of the documentation look a little awkward since we're only supporting 2 versions of TLS now, so I tried to re-word the text a little. But I kept the code intact so we can easily add new versions when they appear or deprecate TLSv1.2 when the time comes, even though it may not be soon. Acked-by: Eelco Chaudron <echaudro@redhat.com> Acked-by: Kevin Traynor <ktraynor@redhat.com> Signed-off-by: Ilya Maximets <i.maximets@ovn.org>
diff --git a/NEWS b/NEWS
@@ -5,6 +5,9 @@ Post-v3.5.0
    - ovs-ctl:
      * Added a new option, --oom-score=<score>, to set the daemons' Linux
        Out-Of-Memory (OOM) killer score.
+   - SSL/TLS:
+     * Support for deprecated TLSv1 and TLSv1.1 protocols on OpenFlow and
+       database connections is now removed.
    - Tunnels:
      * Support for previously deprecated LISP and STT tunnel port types
        is now removed.
diff --git a/lib/ssl-connect.man b/lib/ssl-connect.man
@@ -1,24 +1,24 @@
 .IP "\fB\-\-ssl\-protocols=\fIprotocols\fR"
 Specifies a range or a comma- or space-delimited list of the SSL/TLS protocols
-\fB\*(PN\fR will enable for SSL/TLS connections.  Supported
-\fIprotocols\fR include \fBTLSv1\fR (deprecated), \fBTLSv1.1\fR (deprecated),
-\fBTLSv1.2\fR and \fBTLSv1.3\fR.  Ranges can be provided in a form of two
-protocol names separated with a dash, or as a single protocol name with a plus
-sign.  For example, use \fBTLSv1.1-TLSv1.3\fR to allow \fBTLSv1.1\fR,
-\fBTLSv1.2\fR and \fBTLSv1.3\fR.  Use \fBTLSv1.2+\fR to allow \fBTLSv1.2\fR and
-any later protocol.  The option accepts a list of protocols or exactly one
-range.  The range is a preferred way of specifying protocols and the option
-always behaves as if the range between the minimum and the maximum specified
-version is provided, i.e., if the option is set to \fBTLSv1.1,TLSv1.3\fR, the
-\fBTLSv1.2\fR will also be enabled as if it was a range.
+\fB\*(PN\fR will enable for SSL/TLS connections.  Supported \fIprotocols\fR
+include \fBTLSv1.2\fR and \fBTLSv1.3\fR.
+Ranges can be provided in a form of two protocol names separated with a dash,
+or as a single protocol name with a plus sign.  For example, use
+\fBTLSv1.2-TLSv1.3\fR to allow \fBTLSv1.2\fR and \fBTLSv1.3\fR.  Use
+\fBTLSv1.2+\fR to allow \fBTLSv1.2\fR and any later protocol.
+The option accepts a list of protocols or exactly one range.  The
+range is a preferred way of specifying protocols and the option always behaves
+as if the range between the minimum and the maximum specified version is
+provided, i.e., if the option is set to \fBTLSv1.X,TLSv1.(X+2)\fR, the
+\fBTLSv1.(X+1)\fR will also be enabled as if it was a range.
 Regardless of order, the highest protocol supported by both sides will
 be chosen when making the connection.  The default when this option is
 omitted is \fBTLSv1.2\fR or later.
 .
 .IP "\fB\-\-ssl\-ciphers=\fIciphers\fR"
 Specifies, in OpenSSL cipher string format, the ciphers \fB\*(PN\fR will
-support for SSL/TLS connections with TLSv1.2 and earlier.  The default when
-this option is omitted is \fBDEFAULT:@SECLEVEL=2\fR.
+support for SSL/TLS connections with TLSv1.2.
+The default when this option is omitted is \fBDEFAULT:@SECLEVEL=2\fR.
 .
 .IP "\fB\-\-ssl\-ciphersuites=\fIciphersuites\fR"
 Specifies, in OpenSSL ciphersuite string format, the ciphersuites
diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
@@ -1221,7 +1221,7 @@ stream_ssl_set_key_and_cert(const char *private_key_file,
     }
 }
 
-/* Sets SSL/TLS ciphers for TLSv1.2 and earlier based on string input.
+/* Sets SSL/TLS ciphers for TLSv1.2 based on string input.
  * Aborts with an error message if 'arg' is not valid. */
 void
 stream_ssl_set_ciphers(const char *arg)
@@ -1267,8 +1267,6 @@ stream_ssl_set_protocols(const char *arg)
         bool deprecated;
     } protocols[] = {
         {"later",   0 /* any version */, false},
-        {"TLSv1",   TLS1_VERSION,        true },
-        {"TLSv1.1", TLS1_1_VERSION,      true },
         {"TLSv1.2", TLS1_2_VERSION,      false},
         {"TLSv1.3", TLS1_3_VERSION,      false},
     };
diff --git a/lib/stream.c b/lib/stream.c
@@ -161,7 +161,7 @@ stream_usage(const char *name, bool active, bool passive,
     printf("SSL/TLS options:\n"
            "  --ssl-protocols=PROTOS    range of SSL/TLS protocols to enable\n"
            "  --ssl-ciphers=CIPHERS     list of SSL/TLS ciphers to enable\n"
-           "                            with TLSv1.2 and earlier\n"
+           "                            with TLSv1.2\n"
            "  --ssl-ciphersuites=SUITES list of SSL/TLS ciphersuites to\n"
            "                            enable with TLSv1.3 and later\n");
 #endif
diff --git a/tests/ovsdb-server.at b/tests/ovsdb-server.at
@@ -912,17 +912,6 @@ AT_CHECK_UNQUOTED(
   [[@<:@{"rows":@<:@{"private_key":"$PKIDIR/testpki-privkey2.pem"}@:>@}@:>@
 ]], [ignore])
 
-# Check that, when the server has TLSv1.2+ and the client has
-# TLSv1.1, connection fails.
-AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.1]), [1], [stdout], [stderr])
-cat stderr > output
-AT_CHECK_UNQUOTED(
-  [sed -n "/failed to connect/s/ (.*)//p" output], [0],
-  [ovsdb-client: failed to connect to "ssl:127.0.0.1:$SSL_PORT"
-], 
-  [ignore])
-AT_CHECK([grep -q 'TLSv1.1 protocol is deprecated' output])
-AT_CHECK([grep -q 'Enabled protocol range: TLSv1.1 - TLSv1.1' stderr])
 # Check that when ciphers are not compatible, a negotiation
 # failure occurs.
 AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.2], [ECDHE-ECDSA-AES256-GCM-SHA384]),
@@ -954,22 +943,100 @@ AT_CHECK_UNQUOTED(
 AT_CHECK([grep -q -E "(sslv3|ssl/tls) alert handshake failure" output])
 
 # Checking parsing of different protocol ranges.
-AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.1,TLSv1.3]), [0], [stdout], [stderr])
-AT_CHECK([grep -q 'Enabled protocol range: TLSv1.1 - TLSv1.3' stderr])
-AT_CHECK([grep -q \
-            'TLSv1.2 is not configured, but will be enabled anyway' stderr])
-AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.1-TLSv1.3]), [0], [stdout], [stderr])
-AT_CHECK([grep -q 'Enabled protocol range: TLSv1.1 - TLSv1.3' stderr])
-AT_CHECK([grep -q 'will be enabled anyway' stderr], [1])
-AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.3-TLSv1.1]), [0], [stdout], [stderr])
-AT_CHECK([grep -q 'Enabled protocol range: TLSv1.1 - TLSv1.3' stderr])
-AT_CHECK([grep -q 'will be enabled anyway' stderr], [1])
+AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.2,TLSv1.3]), [0], [stdout], [stderr])
+AT_CHECK([grep -q 'Enabled protocol range: TLSv1.2 - TLSv1.3' stderr])
+AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.2-TLSv1.3]), [0], [stdout], [stderr])
+AT_CHECK([grep -q 'Enabled protocol range: TLSv1.2 - TLSv1.3' stderr])
+AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.3-TLSv1.2]), [0], [stdout], [stderr])
+AT_CHECK([grep -q 'Enabled protocol range: TLSv1.2 - TLSv1.3' stderr])
 AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.3+]), [0], [stdout], [stderr])
 AT_CHECK([grep -q 'Enabled protocol range: TLSv1.3 or later' stderr])
 AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.2-TLSv1.3,TLSv1.3+]), [0], [stdout], [stderr])
 AT_CHECK([grep -q 'SSL/TLS protocol not recognized' stderr])
 AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.2+TLSv1.3]), [0], [stdout], [stderr])
 AT_CHECK([grep -q 'SSL/TLS protocol not recognized' stderr])
+AT_CHECK(SSL_OVSDB_CLIENT([TLSv1+]), [0], [stdout], [stderr])
+AT_CHECK([grep -q 'SSL/TLS protocol not recognized' stderr])
+AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.1]), [0], [stdout], [stderr])
+AT_CHECK([grep -q 'SSL/TLS protocol not recognized' stderr])
+
+OVSDB_SERVER_SHUTDOWN(["
+  /stream_ssl|WARN/d
+  /Protocol error/d
+"])
+AT_CLEANUP
+
+AT_SETUP([SSL/TLS db: implementation (TLSv1.3 only)])
+AT_KEYWORDS([ovsdb server positive ssl tls $5])
+AT_SKIP_IF([test "$HAVE_OPENSSL" = no])
+# For this test, we pass PKIDIR through a ovsdb-tool transact and
+# msys on Windows does not convert the path style automatically.
+# So, do that forcefully with a 'pwd -W' (called through pwd() function).
+PKIDIR="$(cd $abs_top_builddir/tests && pwd)"
+AT_SKIP_IF([expr "$PKIDIR" : ".*[[       '\"
+\\]]"])
+AT_DATA([schema],
+  [[{"name": "mydb",
+     "tables": {
+       "SSL": {
+         "columns": {
+           "private_key": {"type": "string"},
+           "certificate": {"type": "string"},
+           "ca_cert": {"type": "string"},
+           "ssl_protocols" : {"type": "string"},
+           "ssl_ciphers" : {"type" : "string"},
+           "ssl_ciphersuites" : {"type": "string"}
+         }}}}
+]])
+AT_CHECK([ovsdb-tool create db schema], [0], [stdout], [ignore])
+AT_CHECK(
+  [[ovsdb-tool transact db \
+     '["mydb",
+       {"op": "insert",
+        "table": "SSL",
+        "row": {"private_key": "'"$PKIDIR/testpki-privkey2.pem"'",
+                "certificate": "'"$PKIDIR/testpki-cert2.pem"'",
+                "ca_cert": "'"$PKIDIR/testpki-cacert.pem"'",
+                "ssl_protocols": "'"TLSv1.3"'"
+               }}]']],
+  [0], [ignore], [ignore])
+on_exit 'kill `cat *.pid`'
+AT_CHECK(
+  [ovsdb-server --log-file --detach --no-chdir --pidfile \
+        --private-key=db:mydb,SSL,private_key \
+        --certificate=db:mydb,SSL,certificate \
+        --ca-cert=db:mydb,SSL,ca_cert \
+        --ssl-protocols=db:mydb,SSL,ssl_protocols \
+        --ssl-ciphers=db:mydb,SSL,ssl_ciphers \
+        --ssl-ciphersuites=db:mydb,SSL,ssl_ciphersuites \
+        --remote=pssl:0:127.0.0.1 db],
+  [0], [ignore], [ignore])
+PARSE_LISTENING_PORT([ovsdb-server.log], [SSL_PORT])
+
+# SSL_OVSDB_CLIENT(PROTOCOL)
+m4_define([SSL_OVSDB_CLIENT], [dnl
+  ovsdb-client -vconsole:stream_ssl:dbg \
+    --private-key=$PKIDIR/testpki-privkey.pem \
+    --certificate=$PKIDIR/testpki-cert.pem \
+    --ca-cert=$PKIDIR/testpki-cacert.pem \
+    --ssl-protocols=[$1] \
+    transact ssl:127.0.0.1:$SSL_PORT \
+    '[[["mydb",
+      {"op": "select",
+       "table": "SSL",
+       "where": [],
+       "columns": ["private_key"]}]]]'])
+
+# Check that, when the server has TLSv1.3 and the client has
+# TLSv1.2, connection fails.
+AT_CHECK(SSL_OVSDB_CLIENT([TLSv1.2]), [1], [stdout], [stderr])
+cat stderr > output
+AT_CHECK_UNQUOTED(
+  [sed -n "/failed to connect/s/ (.*)//p" output], [0],
+  [ovsdb-client: failed to connect to "ssl:127.0.0.1:$SSL_PORT"
+],
+  [ignore])
+AT_CHECK([grep -q 'Enabled protocol range: TLSv1.2 - TLSv1.2' stderr])
 
 OVSDB_SERVER_SHUTDOWN(["
   /stream_ssl|WARN/d
