[ovs-discuss] Problem initiating TLS 1.2 hello from OVS client to NOX controller

Singhal, Abhinav Abhinav.Singhal at spirent.com
Thu Jul 10 18:21:14 UTC 2014


Thanks a lot for spending time on it Ben. 

I might be wrong here, but I'll still mention it: I saw your patch and noticed that you replaced the version specific API with a more genetic SSLv23_method(). From what I read online, SSLv23_method() works fine when run on the server side i.e. enables the server to accept requests from clients running different SSL versions. However, when this generic API is run on the client side (and this is the part where I might be wrong/not confident enough), it PROBABLY does not initiate the hello using the latest SSL version it is running.

In this document: http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s03.html under the section ' Creating and Setting Up the SSL Context Structure (SSL_CTX)', it says: ' However, the SSL client using the SSLv23 method cannot establish connection with the SSL server with the SSLv3/TLSv1 method because SSLv2 hello message is sent by the client'. There is a possibility that the latest version of the code probably sends out TLSv1 hello even if the libs support a higher version, not sure though!

In this thread: http://openssl.6102.n7.nabble.com/FW-Negotiating-TLS-1-0-from-1-2-td39516.html , one of the comments says: ' What confused me was that the docs for SSLv23_client_method() say "A client will send out SSLv2 client hello messages".  It does not say that when you use SSL_OP_NO_SSLv2 that it actually sends a TLS 1.0 handshake message (as long as any TLS version is allowed but even if SSLv3 is enabled).  So in my case SSLv23_client_method() with SSL_OP_NO_SSLv2 and SSL_OP_NO_SSLv3 does the trick'. So what he is saying here is that TLS 1.0 hello is sent by this API as long as 'any TLS version' is allowed. Probably something to look into?

Thanks again for your time though.


Regards,
Abhinav
-----Original Message-----
From: Ben Pfaff [mailto:blp at nicira.com] 
Sent: Thursday, July 10, 2014 1:46 PM
To: Singhal, Abhinav
Cc: discuss at openvswitch.org
Subject: Re: [ovs-discuss] Problem initiating TLS 1.2 hello from OVS client to NOX controller

I don't know.  OpenSSL sucks.

I've inquired on twitter, perhaps someone will respond:
https://twitter.com/Ben_Pfaff/status/487291490545065985

On Wed, Jun 25, 2014 at 09:29:31PM +0000, Singhal, Abhinav wrote:
> Hi Ben,
> 
> Thanks for the prompt response. I downloaded the latest snapshot of the source today (210ba96.tar.gz) and built it. When this new OVS initiates a SSL connection to the controller, it still uses TLS 1.0 to send the hello. Can you please verify that the fix in place is working correctly?
> 
> Regards,
> Abhinav
> 
> -----Original Message-----
> From: Ben Pfaff [mailto:blp at nicira.com]
> Sent: Thursday, June 12, 2014 7:08 PM
> To: Singhal, Abhinav
> Cc: discuss at openvswitch.org
> Subject: Re: [ovs-discuss] Problem initiating TLS 1.2 hello from OVS 
> client to NOX controller
> 
> On Thu, Jun 12, 2014 at 09:26:42PM +0000, Singhal, Abhinav wrote:
> > I have OVS (1.11.0) and the OpenSSL (1.0.1e-fips) installed on a VM. 
> > I checked the OpenSSL release notes and it says that the version I 
> > am using supports TLS 1.2. My NOX controller is running in passive 
> > TLS mode. Problem is, when my OVS initiates a SSL connection to the 
> > controller, it uses TLS 1.0. My questions are: a). Will OpenSSL 
> > always initiate the TLS handshake using the highest available SSL 
> > version (which ideally means TLS 1.2 in this case)?  b). If no, then 
> > what other changes have to be made in order for the OVS to send out 
> > TLS 1.2 hello?
> 
> It's a bug.  I sent out a fix:
>         http://openvswitch.org/pipermail/dev/2014-June/041549.html
> 
> > Thanks in advance.
> > Abhinav
> > E-mail confidentiality.
> 
> It's a public mailing list, there is no confidentiality.



More information about the discuss mailing list