From: Hannes Laimer <h.laimer@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup v3 1/4] config: add tls ciphers to NodeConfig
Date: Sat, 8 Jan 2022 08:08:06 +0100 [thread overview]
Message-ID: <20220108070809.29315-2-h.laimer@proxmox.com> (raw)
In-Reply-To: <20220108070809.29315-1-h.laimer@proxmox.com>
for TLS 1.3 and for TLS <= 1.2
Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
pbs-api-types/src/lib.rs | 15 +++++++++++++++
src/config/node.rs | 26 +++++++++++++++++++++++++-
2 files changed, 40 insertions(+), 1 deletion(-)
diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs
index 0a0dd33d..b4882064 100644
--- a/pbs-api-types/src/lib.rs
+++ b/pbs-api-types/src/lib.rs
@@ -124,6 +124,10 @@ const_regex! {
pub FINGERPRINT_SHA256_REGEX = r"^(?:[0-9a-fA-F][0-9a-fA-F])(?::[0-9a-fA-F][0-9a-fA-F]){31}$";
+ pub OPENSSL_CIPHER_LIST_REGEX = r"^[A-Za-z0-9!\-+=@, :]+$";
+
+ pub TLS_CIPHERSUITE_LIST_REGEX = r"^[A-Za-z0-9_:]+$";
+
/// Regex for safe identifiers.
///
/// This
@@ -160,6 +164,9 @@ pub const BLOCKDEVICE_NAME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&B
pub const SUBSCRIPTION_KEY_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&SUBSCRIPTION_KEY_REGEX);
pub const SYSTEMD_DATETIME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&SYSTEMD_DATETIME_REGEX);
pub const HOSTNAME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&HOSTNAME_REGEX);
+pub const OPENSSL_CIPHER_LIST_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&OPENSSL_CIPHER_LIST_REGEX);
+pub const TLS_CIPHERSUITE_LIST_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&TLS_CIPHERSUITE_LIST_REGEX);
+
pub const DNS_ALIAS_FORMAT: ApiStringFormat =
ApiStringFormat::Pattern(&DNS_ALIAS_REGEX);
@@ -189,6 +196,14 @@ pub const HOSTNAME_SCHEMA: Schema = StringSchema::new("Hostname (as defined in R
.format(&HOSTNAME_FORMAT)
.schema();
+pub const OPENSSL_CIPHER_LIST_SCHEMA: Schema = StringSchema::new("OpenSSL cipher string list used by the proxy for TLS <= 1.2")
+ .format(&OPENSSL_CIPHER_LIST_FORMAT)
+ .schema();
+
+pub const TLS_CIPHERSUITE_LIST_SCHEMA: Schema = StringSchema::new("TLS ciphersuites list used by the proxy for TLSv1.3")
+ .format(&TLS_CIPHERSUITE_LIST_FORMAT)
+ .schema();
+
pub const DNS_NAME_FORMAT: ApiStringFormat =
ApiStringFormat::Pattern(&DNS_NAME_REGEX);
diff --git a/src/config/node.rs b/src/config/node.rs
index 4f2ab029..74db8fe3 100644
--- a/src/config/node.rs
+++ b/src/config/node.rs
@@ -1,5 +1,6 @@
use std::collections::HashSet;
+use openssl::ssl::{SslAcceptor, SslMethod};
use anyhow::{bail, Error};
use serde::{Deserialize, Serialize};
@@ -7,7 +8,7 @@ use proxmox_schema::{api, ApiStringFormat, ApiType, Updater};
use proxmox_http::ProxyConfig;
-use pbs_api_types::EMAIL_SCHEMA;
+use pbs_api_types::{EMAIL_SCHEMA, OPENSSL_CIPHER_LIST_SCHEMA, TLS_CIPHERSUITE_LIST_SCHEMA};
use pbs_buildcfg::configdir;
use pbs_config::{open_backup_lockfile, BackupLockGuard};
@@ -91,6 +92,14 @@ pub struct AcmeConfig {
schema: EMAIL_SCHEMA,
optional: true,
},
+ "ciphers-tls3": {
+ schema: TLS_CIPHERSUITE_LIST_SCHEMA,
+ optional: true,
+ },
+ "ciphers-tls2": {
+ schema: OPENSSL_CIPHER_LIST_SCHEMA,
+ optional: true,
+ },
},
)]
#[derive(Deserialize, Serialize, Updater)]
@@ -121,6 +130,14 @@ pub struct NodeConfig {
#[serde(skip_serializing_if = "Option::is_none")]
pub email_from: Option<String>,
+
+ /// List of SSL ciphers for tls 1.3 that will be used by the proxy. (Proxy has to be restarted for changes to take effect)
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub ciphers_tls3: Option<String>,
+
+ /// List of SSL ciphers for tls <= 1.2 that will be used by the proxy. (Proxy has to be restarted for changes to take effect)
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub ciphers_tls2: Option<String>,
}
impl NodeConfig {
@@ -172,6 +189,13 @@ impl NodeConfig {
bail!("duplicate domain '{}' in ACME config", domain.domain);
}
}
+ let mut dummy_acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls()).unwrap();
+ if let Some(ciphers) = self.ciphers_tls3.as_deref() {
+ dummy_acceptor.set_ciphersuites(ciphers)?;
+ }
+ if let Some(ciphers) = self.ciphers_tls2.as_deref() {
+ dummy_acceptor.set_cipher_list(ciphers)?;
+ }
Ok(())
}
--
2.30.2
next prev parent reply other threads:[~2022-01-08 7:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-08 7:08 [pbs-devel] [PATCH proxmox-backup v3 0/4] close #3612: allow config of SSL cipher-suites for proxy Hannes Laimer
2022-01-08 7:08 ` Hannes Laimer [this message]
2022-01-10 5:40 ` [pbs-devel] [PATCH proxmox-backup v3 1/4] config: add tls ciphers to NodeConfig Dietmar Maurer
2022-01-10 8:14 ` Fabian Grünbichler
2022-01-08 7:08 ` [pbs-devel] [PATCH proxmox-backup v3 2/4][optional] pbs-api-types: make regex for ciphers more strict Hannes Laimer
2022-01-08 7:08 ` [pbs-devel] [PATCH proxmox-backup v3 3/4] proxy: use ciphers from config if set Hannes Laimer
2022-01-08 7:08 ` [pbs-devel] [PATCH proxmox-backup v3 4/4] api2: make tls ciphers updatable Hannes Laimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220108070809.29315-2-h.laimer@proxmox.com \
--to=h.laimer@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.