From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
Cc: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH http-server 1/3] fix #3790: allow setting TLS 1.3 cipher suites
Date: Mon, 20 Dec 2021 18:57:29 +0100 [thread overview]
Message-ID: <20211220185729.14549a90@rosa.proxmox.com> (raw)
In-Reply-To: <20211217125733.548305-2-f.gruenbichler@proxmox.com>
Thanks for tackling this!
gave it a spin - works as advertised
one thing I think could be improved - is that currently nothing is logged
when CIPHERSUITES is set to an invalid setting.
(tested with "garbage TLS_CHACHA20_POLY1305_SHA256")
with TLS1.2 CIPHERS the log gets filled with:
'garbage' was not accepted as a valid cipher list by AnyEvent::TLS at /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 1913.
The handling of openssl seems kinda sane[0] (fallback to the default list
if the provided one is not recognized) - so I think simply a
syslog('warn', - might help as feedback to users
(quickly tested it - Net::SSLeay::CTX_set_ciphersuites returns '0' if it
did not set the list).
[0]
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html
On Fri, 17 Dec 2021 13:57:27 +0100
Fabian Grünbichler <f.gruenbichler@proxmox.com> wrote:
> like the TLS <= 1.2 cipher list, but needs a different option since the
> format and values are incompatible. AnyEvent doesn't yet handle this
> directly like the cipher list, so set it directly on the context.
>
> requires corresponding patch in pve-manager (which reads the config, and
> passes relevant parts back to the API server).
>
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
> src/PVE/APIServer/AnyEvent.pm | 4 ++++
> src/PVE/APIServer/Utils.pm | 3 +++
> 2 files changed, 7 insertions(+)
>
> diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
> index f0305b3..e31cf7d 100644
> --- a/src/PVE/APIServer/AnyEvent.pm
> +++ b/src/PVE/APIServer/AnyEvent.pm
> @@ -1885,6 +1885,9 @@ sub new {
> honor_cipher_order => 1,
> };
>
> + # workaround until anyevent supports TLS 1.3 ciphersuites directly
> + my $ciphersuites = delete $self->{ssl}->{ciphersuites};
> +
> foreach my $k (keys %$ssl_defaults) {
> $self->{ssl}->{$k} //= $ssl_defaults->{$k};
> }
> @@ -1904,6 +1907,7 @@ sub new {
>
> $self->{tls_ctx} = AnyEvent::TLS->new(%{$self->{ssl}});
> Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, $tls_ctx_flags);
> + Net::SSLeay::CTX_set_ciphersuites($self->{tls_ctx}->{ctx}, $ciphersuites) if defined($ciphersuites);
> }
>
> if ($self->{spiceproxy}) {
> diff --git a/src/PVE/APIServer/Utils.pm b/src/PVE/APIServer/Utils.pm
> index 449d764..0124f44 100644
> --- a/src/PVE/APIServer/Utils.pm
> +++ b/src/PVE/APIServer/Utils.pm
> @@ -19,6 +19,7 @@ sub read_proxy_config {
> $shcmd .= 'echo \"DENY_FROM:\$DENY_FROM\";';
> $shcmd .= 'echo \"POLICY:\$POLICY\";';
> $shcmd .= 'echo \"CIPHERS:\$CIPHERS\";';
> + $shcmd .= 'echo \"CIPHERSUITES:\$CIPHERSUITES\";';
> $shcmd .= 'echo \"DHPARAMS:\$DHPARAMS\";';
> $shcmd .= 'echo \"HONOR_CIPHER_ORDER:\$HONOR_CIPHER_ORDER\";';
> $shcmd .= 'echo \"COMPRESSION:\$COMPRESSION\";';
> @@ -48,6 +49,8 @@ sub read_proxy_config {
> $res->{$key} = $value;
> } elsif ($key eq 'CIPHERS') {
> $res->{$key} = $value;
> + } elsif ($key eq 'CIPHERSUITES') {
> + $res->{$key} = $value;
> } elsif ($key eq 'DHPARAMS') {
> $res->{$key} = $value;
> } elsif ($key eq 'HONOR_CIPHER_ORDER' || $key eq 'COMPRESSION') {
next prev parent reply other threads:[~2021-12-20 17:58 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-17 12:57 [pve-devel] [PATCH http-server/manager/pmg-api/docs 0/10] expose more TLS knobs Fabian Grünbichler
2021-12-17 12:57 ` [pve-devel] [PATCH http-server 1/3] fix #3790: allow setting TLS 1.3 cipher suites Fabian Grünbichler
2021-12-20 17:57 ` Stoiko Ivanov [this message]
2021-12-17 12:57 ` [pve-devel] [PATCH http-server 2/3] fix #3745: allow overriding TLS key location Fabian Grünbichler
2021-12-17 12:57 ` [pve-devel] [PATCH http-server 3/3] fix #3789: allow disabling TLS v1.2/v1.3 Fabian Grünbichler
2021-12-17 12:57 ` [pve-devel] [PATCH manager 1/3] fix #3790: pass TLS 1.3 ciphersuites if set Fabian Grünbichler
2021-12-17 12:57 ` [pve-devel] [PATCH manager 2/3] fix #3745: handle overridden TLS key location Fabian Grünbichler
2021-12-17 12:57 ` [pve-devel] [PATCH manager 3/3] fix #3789: pass disable TLS 1.2/1.3 options Fabian Grünbichler
2021-12-17 12:57 ` [pve-devel] [PATCH docs] pveproxy: document newly added options Fabian Grünbichler
2021-12-20 18:00 ` Stoiko Ivanov
2022-01-13 16:22 ` [pve-devel] applied: " Thomas Lamprecht
2021-12-17 13:00 ` [pmg-devel] [PATCH pmg-api 1/2] pass TLS 1.3 ciphersuites if set Fabian Grünbichler
2021-12-17 13:00 ` [pmg-devel] [PATCH pmg-api 2/2] pass disable TLS 1.2/1.3 options Fabian Grünbichler
2022-02-03 10:32 ` [pmg-devel] applied: " Thomas Lamprecht
2021-12-17 13:00 ` [pmg-devel] [PATCH pmg-docs] pmgproxy: document newly added options Fabian Grünbichler
2022-02-03 10:32 ` [pmg-devel] applied: " Thomas Lamprecht
2022-02-03 10:32 ` [pmg-devel] applied: [PATCH pmg-api 1/2] pass TLS 1.3 ciphersuites if set Thomas Lamprecht
2021-12-20 18:01 ` [pve-devel] [PATCH http-server/manager/pmg-api/docs 0/10] expose more TLS knobs Stoiko Ivanov
2022-01-13 12:36 ` [pve-devel] partially-applied-series: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211220185729.14549a90@rosa.proxmox.com \
--to=s.ivanov@proxmox.com \
--cc=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.