[ovs-discuss] enforce TLSv1.2 in OVN

Lance Richardson lrichard at redhat.com
Tue Jun 6 16:26:21 UTC 2017

> From: "Dominik Holler" <dholler at redhat.com>
> To: ovs-discuss at openvswitch.org
> Cc: "Lance Richardson" <lrichard at redhat.com>, "Numan Siddique" <nusiddiq at redhat.com>, "Marcin Mirecki"
> <mmirecki at redhat.com>, "Dan Kenigsberg" <danken at redhat.com>
> Sent: Tuesday, 6 June, 2017 11:30:07 AM
> Subject: enforce TLSv1.2 in OVN
> Hello,
> We want to ensure that OVN uses only TLSv1.2, but not TLSv1 or TLSv1.1
> in our scenario.
> There are multiple connection, identified to be relevant:
> - The tunneling data connection between the hypervisors/chassis, like
>   geneve listening on UDP port 6081.
> - The meta data connections:
>  - The connections to the OVN Southbound DB, which is hosted by
>    ovsdb-server and listening typically TCP port 6642. Connections
>    may be initiated by from the ovn-controllers and ovn-northd.
>  - The connections to the OVN Northbound DB, which is hosted by
>    ovsdb-server and listening typically on TCP port 6641. Connections
>    may be initiated by the Cloud Management System and ovn-northd.
> Is it correct that encryption is not supported at all for the tunneling
> data connection?

That's correct. There has been some recent work to support the use of
IPSec for tunnel encryption, but as far as I know no one has investigated
using IPSec with OVN tunnels. If there is a need for this, we could
look into it. See:


> For the meta data connections ovsdb-server acts as the server.
> ovsdb-server has the command line option --ssl-protocols, but I do not
> understand how to apply this. ovsdb-server seems to be started by
> ovn-ctl, but I do not recognize a way to utilize ovn-ctl to
> pass the --ssl-protocols option.
> How should the --ssl-protocols option passed to ovsdb-server?

I think we'll need to add a new option to ovn-ctl to allow this option
to be specified.

I also think we should allow the --ssl-protocols configuration to be
stored in the ovsdb database and have support in ovn-nbctl/ovn-sbctl
etc. for setting it.

I'll go ahead and start working on that, it would be good if you could
open a BZ for tracking the upstream and backport work.

> Thanks and regards
> Dominik

More information about the discuss mailing list