[ovs-dev] [PATCH] stream-ssl: Don't enable new TLS versions by default
Ben Pfaff
blp at ovn.org
Sat Aug 4 00:09:55 UTC 2018
On Fri, Jul 27, 2018 at 04:29:40PM +0200, Timothy Redaelli wrote:
> Currently protocol_flags is populated by the list of SSL and TLS
> protocols by hand. This means that when a new TLS version is added to
> openssl (in this case TLS v1.3 is added to openssl 1.1.1 beta)
> ovsdb-server automatically enable support to it with the default ciphers.
> This can be a security problem (since other ciphers can be enabled) and it
> also makes a test (SSL db: implementation) to fail.
>
> This commit changes the 'protocol_flags' to use the list of all protocol
> flags as provided by openssl library (SSL_OP_NO_SSL_MASK) so there is no
> need to keep the list updated by hand.
>
> Signed-off-by: Timothy Redaelli <tredaelli at redhat.com>
Thanks, applied to master and backported as far as branch-2.7.
More information about the dev
mailing list