ovn: ssl proto/cipher configuration in nb/sb db

Add SSL protocol and cipher columns to SSL tables in northbound and southbound databases. Start nb/sb ovsdb-server with command- line options to use these columns. Add support to ovn-nbctl and ovn-sbctl "set-ssl" commands for user-friendly management of these settings. Signed-off-by: Lance Richardson <[email protected]> Signed-off-by: Ben Pfaff <[email protected]>
qlw · Jun 7, 2017 · 51af591 · 51af591
1 parent 6cf5c52
commit 51af591
Show file tree

Hide file tree

Showing 10 changed files with 64 additions and 10 deletions.
diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema
@@ -1,7 +1,7 @@
 {
     "name": "OVN_Northbound",
     "version": "5.6.0",
-    "cksum": "1358108512 15019",
+    "cksum": "2552205612 15123",
     "tables": {
         "NB_Global": {
             "columns": {
@@ -287,6 +287,8 @@
                 "certificate": {"type": "string"},
                 "ca_cert": {"type": "string"},
                 "bootstrap_ca_cert": {"type": "boolean"},
+                "ssl_protocols": {"type": "string"},
+                "ssl_ciphers": {"type": "string"},
                 "external_ids": {"type": {"key": "string",
                                           "value": "string",
                                           "min": 0,

diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml
@@ -2084,6 +2084,17 @@
       CA certificate.</em>  It may still be useful for bootstrapping.
     </column>
 
+    <column name="ssl_protocols">
+      List of SSL protocols to be enabled for SSL connections. The default
+      when this option is omitted is <code>TLSv1,TLSv1.1,TLSv1.2</code>.
+    </column>
+
+    <column name="ssl_ciphers">
+      List of ciphers (in OpenSSL cipher string format) to be supported
+      for SSL connections. The default when this option is omitted is
+      <code>HIGH:!aNULL:!MD5</code>.
+    </column>
+
     <group title="Common Columns">
       The overall purpose of these columns is described under <code>Common
       Columns</code> at the beginning of this document.

diff --git a/ovn/ovn-sb.ovsschema b/ovn/ovn-sb.ovsschema
@@ -1,7 +1,7 @@
 {
     "name": "OVN_Southbound",
     "version": "1.12.1",
-    "cksum": "1914140659 10905",
+    "cksum": "761192506 11009",
     "tables": {
         "SB_Global": {
             "columns": {
@@ -201,6 +201,8 @@
                 "certificate": {"type": "string"},
                 "ca_cert": {"type": "string"},
                 "bootstrap_ca_cert": {"type": "boolean"},
+                "ssl_protocols": {"type": "string"},
+                "ssl_ciphers": {"type": "string"},
                 "external_ids": {"type": {"key": "string",
                                           "value": "string",
                                           "min": 0,

diff --git a/ovn/ovn-sb.xml b/ovn/ovn-sb.xml
@@ -2779,6 +2779,17 @@ tcp.flags = RST;
       CA certificate.</em>  It may still be useful for bootstrapping.
     </column>
 
+    <column name="ssl_protocols">
+      List of SSL protocols to be enabled for SSL connections. The default
+      when this option is omitted is <code>TLSv1,TLSv1.1,TLSv1.2</code>.
+    </column>
+
+    <column name="ssl_ciphers">
+      List of ciphers (in OpenSSL cipher string format) to be supported
+      for SSL connections. The default when this option is omitted is
+      <code>HIGH:!aNULL:!MD5</code>.
+    </column>
+
     <group title="Common Columns">
       The overall purpose of these columns is described under <code>Common
       Columns</code> at the beginning of this document.

diff --git a/ovn/utilities/ovn-ctl b/ovn/utilities/ovn-ctl
@@ -108,6 +108,8 @@ start_nb_ovsdb() {
         set "$@" --private-key=db:OVN_Northbound,SSL,private_key
         set "$@" --certificate=db:OVN_Northbound,SSL,certificate
         set "$@" --ca-cert=db:OVN_Northbound,SSL,ca_cert
+        set "$@" --ssl-protocols=db:OVN_Northbound,SSL,ssl_protocols
+        set "$@" --ssl-ciphers=db:OVN_Northbound,SSL,ssl_ciphers
 
         if test X"$DB_NB_CREATE_INSECURE_REMOTE" = Xyes; then
             set "$@" --remote=ptcp:$DB_NB_PORT:$DB_NB_ADDR
@@ -141,6 +143,8 @@ start_sb_ovsdb() {
         set "$@" --private-key=db:OVN_Southbound,SSL,private_key
         set "$@" --certificate=db:OVN_Southbound,SSL,certificate
         set "$@" --ca-cert=db:OVN_Southbound,SSL,ca_cert
+        set "$@" --ssl-protocols=db:OVN_Southbound,SSL,ssl_protocols
+        set "$@" --ssl-ciphers=db:OVN_Southbound,SSL,ssl_ciphers
 
         if test X"$DB_SB_CREATE_INSECURE_REMOTE" = Xyes; then
             set "$@" --remote=ptcp:$DB_SB_PORT:$DB_SB_ADDR

diff --git a/ovn/utilities/ovn-nbctl.8.xml b/ovn/utilities/ovn-nbctl.8.xml
@@ -796,7 +796,9 @@
       Deletes the current SSL configuration.
       </dd>
 
-      <dt>[<code>--bootstrap</code>] <code>set-ssl</code> <var>private-key</var> <var>certificate</var> <var>ca-cert</var></dt>
+      <dt>[<code>--bootstrap</code>] <code>set-ssl</code>
+         <var>private-key</var> <var>certificate</var> <var>ca-cert</var>
+         [<var>ssl-protocol-list</var> [<var>ssl-cipher-list</var>]]</dt>
       <dd>
       Sets the SSL configuration.
       </dd>

diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
@@ -430,7 +430,8 @@ Connection commands:\n\
 SSL commands:\n\
   get-ssl                     print the SSL configuration\n\
   del-ssl                     delete the SSL configuration\n\
-  set-ssl PRIV-KEY CERT CA-CERT  set the SSL configuration\n\
+  set-ssl PRIV-KEY CERT CA-CERT [SSL-PROTOS [SSL-CIPHERS]] \
+set the SSL configuration\n\
 \n\
 %s\
 \n\
@@ -3069,6 +3070,13 @@ cmd_set_ssl(struct ctl_context *ctx)
 
     nbrec_ssl_set_bootstrap_ca_cert(ssl, bootstrap);
 
+    if (ctx->argc == 5) {
+        nbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]);
+    } else if (ctx->argc == 6) {
+        nbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]);
+        nbrec_ssl_set_ssl_ciphers(ssl, ctx->argv[5]);
+    }
+
     nbrec_nb_global_set_ssl(nb_global, ssl);
 }
 
@@ -3463,8 +3471,9 @@ static const struct ctl_command_syntax nbctl_commands[] = {
     /* SSL commands. */
     {"get-ssl", 0, 0, "", pre_cmd_get_ssl, cmd_get_ssl, NULL, "", RO},
     {"del-ssl", 0, 0, "", pre_cmd_del_ssl, cmd_del_ssl, NULL, "", RW},
-    {"set-ssl", 3, 3, "PRIVATE-KEY CERTIFICATE CA-CERT", pre_cmd_set_ssl,
-     cmd_set_ssl, NULL, "--bootstrap", RW},
+    {"set-ssl", 3, 5,
+        "PRIVATE-KEY CERTIFICATE CA-CERT [SSL-PROTOS [SSL-CIPHERS]]",
+        pre_cmd_set_ssl, cmd_set_ssl, NULL, "--bootstrap", RW},
 
     {NULL, 0, 0, NULL, NULL, NULL, NULL, "", RO},
 };

diff --git a/ovn/utilities/ovn-sbctl.8.in b/ovn/utilities/ovn-sbctl.8.in
@@ -246,7 +246,7 @@ Prints the SSL configuration.
 .IP "\fBdel\-ssl\fR"
 Deletes the current SSL configuration.
 .
-.IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR \fIca-cert\fR"
+.IP "[\fB\-\-bootstrap\fR] \fBset\-ssl\fR \fIprivate-key\fR \fIcertificate\fR \fIca-cert\fR [\fIssl-protocol-list\fR [\fIssl-cipher-list\fR]]"
 Sets the SSL configuration.  The \fB\-\-bootstrap\fR option is described
 below.
 .

diff --git a/ovn/utilities/ovn-sbctl.c b/ovn/utilities/ovn-sbctl.c
@@ -319,7 +319,8 @@ Connection commands:\n\
 SSL commands:\n\
   get-ssl                     print the SSL configuration\n\
   del-ssl                     delete the SSL configuration\n\
-  set-ssl PRIV-KEY CERT CA-CERT  set the SSL configuration\n\
+  set-ssl PRIV-KEY CERT CA-CERT [SSL-PROTOS [SSL-CIPHERS]] \
+set the SSL configuration\n\
 \n\
 %s\
 \n\
@@ -1114,6 +1115,13 @@ cmd_set_ssl(struct ctl_context *ctx)
 
     sbrec_ssl_set_bootstrap_ca_cert(ssl, bootstrap);
 
+    if (ctx->argc == 5) {
+        sbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]);
+    } else if (ctx->argc == 6) {
+        sbrec_ssl_set_ssl_protocols(ssl, ctx->argv[4]);
+        sbrec_ssl_set_ssl_ciphers(ssl, ctx->argv[5]);
+    }
+
     sbrec_sb_global_set_ssl(sb_global, ssl);
 }
 
@@ -1407,8 +1415,9 @@ static const struct ctl_command_syntax sbctl_commands[] = {
     /* SSL commands. */
     {"get-ssl", 0, 0, "", pre_cmd_get_ssl, cmd_get_ssl, NULL, "", RO},
     {"del-ssl", 0, 0, "", pre_cmd_del_ssl, cmd_del_ssl, NULL, "", RW},
-    {"set-ssl", 3, 3, "PRIVATE-KEY CERTIFICATE CA-CERT", pre_cmd_set_ssl,
-     cmd_set_ssl, NULL, "--bootstrap", RW},
+    {"set-ssl", 3, 5,
+        "PRIVATE-KEY CERTIFICATE CA-CERT [SSL-PROTOS [SSL-CIPHERS]]",
+        pre_cmd_set_ssl, cmd_set_ssl, NULL, "--bootstrap", RW},
 
     {NULL, 0, 0, NULL, NULL, NULL, NULL, NULL, RO},
 };

diff --git a/tutorial/ovs-sandbox b/tutorial/ovs-sandbox
@@ -350,6 +350,8 @@ if $ovn; then
         --private-key=db:OVN_Northbound,SSL,private_key \
         --certificate=db:OVN_Northbound,SSL,certificate \
         --ca-cert=db:OVN_Northbound,SSL,ca_cert \
+        --ssl-protocols=db:OVN_Northbound,SSL,ssl_protocols \
+        --ssl-ciphers=db:OVN_Northbound,SSL,ssl_ciphers \
         --remote=punix:"$sandbox"/ovnnb_db.sock $ovsdb_nb_server_args
     rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \
         --pidfile="$sandbox"/ovnsb_db.pid -vconsole:off \
@@ -358,6 +360,8 @@ if $ovn; then
         --private-key=db:OVN_Southbound,SSL,private_key \
         --certificate=db:OVN_Southbound,SSL,certificate \
         --ca-cert=db:OVN_Southbound,SSL,ca_cert \
+        --ssl-protocols=db:OVN_Southbound,SSL,ssl_protocols \
+        --ssl-ciphers=db:OVN_Southbound,SSL,ssl_ciphers \
         --remote=punix:"$sandbox"/ovnsb_db.sock $ovsdb_sb_server_args
     # Start SB back up server
     rungdb $gdb_ovsdb $gdb_ovsdb_ex ovsdb-server --detach --no-chdir \