stream-ssl: Remove use of deprecated SSLv23_method.

SSLv23_method() is deprecated since OpenSSL 1.1.0. In practice, it is just renamed into TLS_method(). Use the new name instead. For the python version of the code, we can use PROTOCOL_TLS_CLIENT, since we only support client side of the connection. It turns on the hostname check by default, though. So, we need to turn it off, otherwise we would have to provide the server_hostname for every wrap_socket. We would just use generic PROTOCOL_TLS as we do in C, but unfortunately PROTOCOL_TLS is deprecated since Python 3.10. Signed-off-by: Ilya Maximets <[email protected]> Signed-off-by: 0-day Robot <[email protected]>
ovsrobot · Dec 9, 2024 · a8e3b98 · a8e3b98
1 parent 28ef6c9
commit a8e3b98
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 15 deletions.
diff --git a/lib/stream-ssl.c b/lib/stream-ssl.c
@@ -1005,8 +1005,6 @@ ssl_init(void)
 static int
 do_ssl_init(void)
 {
-    SSL_METHOD *method;
-
     if (!RAND_status()) {
         /* We occasionally see OpenSSL fail to seed its random number generator
          * in heavily loaded hypervisors.  I suspect the following scenario:
@@ -1037,19 +1035,14 @@ do_ssl_init(void)
         RAND_seed(seed, sizeof seed);
     }
 
-    /* OpenSSL has a bunch of "connection methods": SSLv2_method(),
-     * SSLv3_method(), TLSv1_method(), SSLv23_method(), ...  Most of these
-     * support exactly one version of SSL/TLS, e.g. TLSv1_method() supports
-     * TLSv1 only, not any earlier *or later* version.  The only exception is
-     * SSLv23_method(), which in fact supports *any* version of SSL and TLS.
-     * We don't want SSLv2 or SSLv3 support, so we turn it off below with
-     * SSL_CTX_set_options().
+    /* Using version-flexible "connection method".  Allowed versions will
+     * be restricted below.
      *
-     * The cast is needed to avoid a warning with newer versions of OpenSSL in
-     * which SSLv23_method() returns a "const" pointer. */
-    method = CONST_CAST(SSL_METHOD *, SSLv23_method());
+     * The context can be used for both client and server connections, so
+     * not using specific TLS_server_method() or TLS_client_method() here. */
+    const SSL_METHOD *method = TLS_method();
     if (method == NULL) {
-        VLOG_ERR("TLSv1_method: %s", ERR_error_string(ERR_get_error(), NULL));
+        VLOG_ERR("TLS_method: %s", ERR_error_string(ERR_get_error(), NULL));
         return ENOPROTOOPT;
     }
 

diff --git a/python/ovs/stream.py b/python/ovs/stream.py
@@ -790,9 +790,10 @@ def _open(suffix, dscp):
         if sock is None:
             return family, sock
 
-        # Create an SSL context
-        ctx = ssl.SSLContext(ssl.PROTOCOL_SSLv23)
+        # Create an SSL context.
+        ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
         ctx.verify_mode = ssl.CERT_REQUIRED
+        ctx.check_hostname = False
         ctx.options |= ssl.OP_NO_SSLv2
         ctx.options |= ssl.OP_NO_SSLv3
         ctx.options |= ssl.OP_NO_TLSv1