[ovs-git] [openvswitch/ovs] dfcb68: stream-ssl: Don't enable new TLS versions by defau...
noreply at github.com
Sat Aug 4 00:09:38 UTC 2018
Author: Timothy Redaelli <tredaelli at redhat.com>
Date: 2018-08-03 (Fri, 03 Aug 2018)
stream-ssl: Don't enable new TLS versions by default
Currently protocol_flags is populated by the list of SSL and TLS
protocols by hand. This means that when a new TLS version is added to
openssl (in this case TLS v1.3 is added to openssl 1.1.1 beta)
ovsdb-server automatically enable support to it with the default ciphers.
This can be a security problem (since other ciphers can be enabled) and it
also makes a test (SSL db: implementation) to fail.
This commit changes the 'protocol_flags' to use the list of all protocol
flags as provided by openssl library (SSL_OP_NO_SSL_MASK) so there is no
need to keep the list updated by hand.
Signed-off-by: Timothy Redaelli <tredaelli at redhat.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>
**NOTE:** This service has been marked for deprecation: https://developer.github.com/changes/2018-04-25-github-services-deprecation/
Functionality will be removed from GitHub.com on January 31st, 2019.
More information about the git