From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
Cc: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH docs] pveproxy: document newly added options
Date: Mon, 20 Dec 2021 19:00:26 +0100 [thread overview]
Message-ID: <20211220190026.516f587b@rosa.proxmox.com> (raw)
In-Reply-To: <20211217125733.548305-8-f.gruenbichler@proxmox.com>
tiny nit inline:
On Fri, 17 Dec 2021 13:57:33 +0100
Fabian Grünbichler <f.gruenbichler@proxmox.com> wrote:
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
> pveproxy.adoc | 30 +++++++++++++++++++++++++++++-
> 1 file changed, 29 insertions(+), 1 deletion(-)
>
> diff --git a/pveproxy.adoc b/pveproxy.adoc
> index 4696d66..8fc6195 100644
> --- a/pveproxy.adoc
> +++ b/pveproxy.adoc
> @@ -117,9 +117,11 @@ effect.
> SSL Cipher Suite
> ----------------
>
> -You can define the cipher list in `/etc/default/pveproxy`, for example
> +You can define the cipher list in `/etc/default/pveproxy` via the `CIPHERS`
> +(TLS <= 1.2) and `CIPHERSUITES` (TLS >= 1.3) keys. For example
>
> CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
> + CIPHERSUITES="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
>
> Above is the default. See the ciphers(1) man page from the openssl
> package for a list of all available options.
> @@ -131,6 +133,25 @@ both client and `pveproxy`):
> HONOR_CIPHER_ORDER=0
>
>
> +Supported TLS versions
> +----------------------
> +
> +The insecure SSL versions 2 and 3 are unconditionally disabled for pveproxy.
> +TLS versions below 1.1 are disabled by default on recent OpenSSL versions,
> +which is honored by `pveproxy` (see `/etc/ssl/openssl.cnf`).
> +
> +To disable TLS version 1.2 or 1.3, set the following in `/etc/default/pveproxy`:
> +
> + DISABLE_TLS_1_2=1
> +
> +or, respectively:
> +
> + DISABLE_TLS_1_3=1
> +
> +NOTE: Unless there is a specific reason to do so, it is not recommended to
> +manually adjust the supported TLS versions.
> +
> +
> Diffie-Hellman Parameters
> -------------------------
>
> @@ -157,6 +178,13 @@ pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and
> `/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`.
> The private key may not use a passphrase.
>
> +It is possible to override the location of the certificate private key by
maybe add a `(/etc/pve/local/pveproxy-ssl.key)` here to avoid confusion
afaicu - overriding works only for pveproxy-ssl.pem
> +setting `TLS_KEY_FILE` in `/etc/default/pveproxy`, for example:
> +
> + TLS_KEY_FILE="/secrets/pveproxy.key"
> +
> +NOTE: The included ACME integration does not honor this setting.
> +
> See the Host System Administration chapter of the documentation for details.
>
> COMPRESSION
next prev parent reply other threads:[~2021-12-20 18:00 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-17 12:57 [pve-devel] [PATCH http-server/manager/pmg-api/docs 0/10] expose more TLS knobs Fabian Grünbichler
2021-12-17 12:57 ` [pve-devel] [PATCH http-server 1/3] fix #3790: allow setting TLS 1.3 cipher suites Fabian Grünbichler
2021-12-20 17:57 ` Stoiko Ivanov
2021-12-17 12:57 ` [pve-devel] [PATCH http-server 2/3] fix #3745: allow overriding TLS key location Fabian Grünbichler
2021-12-17 12:57 ` [pve-devel] [PATCH http-server 3/3] fix #3789: allow disabling TLS v1.2/v1.3 Fabian Grünbichler
2021-12-17 12:57 ` [pve-devel] [PATCH manager 1/3] fix #3790: pass TLS 1.3 ciphersuites if set Fabian Grünbichler
2021-12-17 12:57 ` [pve-devel] [PATCH manager 2/3] fix #3745: handle overridden TLS key location Fabian Grünbichler
2021-12-17 12:57 ` [pve-devel] [PATCH manager 3/3] fix #3789: pass disable TLS 1.2/1.3 options Fabian Grünbichler
2021-12-17 12:57 ` [pve-devel] [PATCH docs] pveproxy: document newly added options Fabian Grünbichler
2021-12-20 18:00 ` Stoiko Ivanov [this message]
2022-01-13 16:22 ` [pve-devel] applied: " Thomas Lamprecht
2021-12-17 13:00 ` [pmg-devel] [PATCH pmg-api 1/2] pass TLS 1.3 ciphersuites if set Fabian Grünbichler
2021-12-17 13:00 ` [pmg-devel] [PATCH pmg-api 2/2] pass disable TLS 1.2/1.3 options Fabian Grünbichler
2022-02-03 10:32 ` [pmg-devel] applied: " Thomas Lamprecht
2021-12-17 13:00 ` [pmg-devel] [PATCH pmg-docs] pmgproxy: document newly added options Fabian Grünbichler
2022-02-03 10:32 ` [pmg-devel] applied: " Thomas Lamprecht
2022-02-03 10:32 ` [pmg-devel] applied: [PATCH pmg-api 1/2] pass TLS 1.3 ciphersuites if set Thomas Lamprecht
2021-12-20 18:01 ` [pve-devel] [PATCH http-server/manager/pmg-api/docs 0/10] expose more TLS knobs Stoiko Ivanov
2022-01-13 12:36 ` [pve-devel] partially-applied-series: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211220190026.516f587b@rosa.proxmox.com \
--to=s.ivanov@proxmox.com \
--cc=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.