[pbs-devel] [PATCH proxmox-backup] node.cfg/proxy: add tls min/max protocol version

all lists on lists.proxmox.com
 help / color / mirror / Atom feed

* [pbs-devel] [PATCH proxmox-backup] node.cfg/proxy: add tls min/max protocol version
@ 2022-01-14 10:50 Fabian Grünbichler
  0 siblings, 0 replies; only message in thread
From: Fabian Grünbichler @ 2022-01-14 10:50 UTC (permalink / raw)
  To: pbs-devel

in a new 'tls' config key for future extensibility.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 pbs-api-types/src/lib.rs        | 39 +++++++++++++++++++++++++++++++++
 src/api2/node/config.rs         |  4 ++++
 src/bin/proxmox-backup-proxy.rs | 22 +++++++++++++++++--
 src/config/node.rs              | 10 ++++++++-
 4 files changed, 72 insertions(+), 3 deletions(-)

diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs
index 754e7b22..caf68ebf 100644
--- a/pbs-api-types/src/lib.rs
+++ b/pbs-api-types/src/lib.rs
@@ -359,6 +359,45 @@ pub enum NodePowerCommand {
     Shutdown,
 }
 
+#[api()]
+#[derive(Debug, Copy, Clone, PartialEq, Serialize, Deserialize)]
+/// TLS protocol version ('tls-1.2' or 'tls-1.3').
+pub enum TlsVersion {
+    /// TLS version 1.2
+    #[serde(rename = "tls-1.2")]
+    Tls1_2,
+    /// TLS version 1.3
+    #[serde(rename = "tls-1.3")]
+    Tls1_3,
+}
+
+#[api(
+    properties: {
+        "min-ver": {
+            type: TlsVersion,
+            optional: true,
+        },
+        "max-ver": {
+            type: TlsVersion,
+            optional: true,
+        },
+    },
+)]
+#[derive(Clone, Serialize, Deserialize)]
+#[serde(rename_all = "kebab-case")]
+/// TLS settings
+pub struct TlsSettings {
+    /// Minimum TLS protocol version (requires proxy restart to take effect)
+    pub min_ver: Option<TlsVersion>,
+    /// Maximum TLS protocol version (requires proxy restart to take effect)
+    pub max_ver: Option<TlsVersion>,
+}
+
+pub const TLS_SETTINGS_STRING_SCHEMA: Schema = StringSchema::new(
+    "TLS settings")
+    .format(&ApiStringFormat::PropertyString(&TlsSettings::API_SCHEMA))
+    .schema();
+
 
 #[api()]
 #[derive(Eq, PartialEq, Debug, Serialize, Deserialize)]
diff --git a/src/api2/node/config.rs b/src/api2/node/config.rs
index c4af7b92..710e9ebc 100644
--- a/src/api2/node/config.rs
+++ b/src/api2/node/config.rs
@@ -62,6 +62,8 @@ pub enum DeletableProperty {
     /// Delete the ciphers-tls-1.2 property.
     #[serde(rename="ciphers-tls-1.2")]
     ciphers_tls_1_2,
+    /// Delete the tls property
+    tls,
 }
 
 #[api(
@@ -121,6 +123,7 @@ pub fn update_node_config(
                 DeletableProperty::email_from => { config.email_from = None; },
                 DeletableProperty::ciphers_tls_1_3 => { config.ciphers_tls_1_3 = None; },
                 DeletableProperty::ciphers_tls_1_2 => { config.ciphers_tls_1_2 = None; },
+                DeletableProperty::tls => { config.tls = None; },
             }
         }
     }
@@ -135,6 +138,7 @@ pub fn update_node_config(
     if update.email_from.is_some() { config.email_from = update.email_from; }
     if update.ciphers_tls_1_3.is_some() { config.ciphers_tls_1_3 = update.ciphers_tls_1_3; }
     if update.ciphers_tls_1_2.is_some() { config.ciphers_tls_1_2 = update.ciphers_tls_1_2; }
+    if update.tls.is_some() { config.tls = update.tls; }
 
     crate::config::node::save_config(&config)?;
 
diff --git a/src/bin/proxmox-backup-proxy.rs b/src/bin/proxmox-backup-proxy.rs
index 523966cf..eadfb2de 100644
--- a/src/bin/proxmox-backup-proxy.rs
+++ b/src/bin/proxmox-backup-proxy.rs
@@ -12,7 +12,7 @@ use hyper::{Body, StatusCode};
 use hyper::header;
 use url::form_urlencoded;
 
-use openssl::ssl::{SslMethod, SslAcceptor, SslFiletype};
+use openssl::ssl::{SslMethod, SslAcceptor, SslFiletype, SslVersion};
 use tokio_stream::wrappers::ReceiverStream;
 use serde_json::{json, Value};
 use http::{Method, HeaderMap};
@@ -22,6 +22,7 @@ use proxmox_sys::fs::CreateOptions;
 use proxmox_lang::try_block;
 use proxmox_router::{RpcEnvironment, RpcEnvironmentType, UserInformation};
 use proxmox_http::client::{RateLimitedStream, ShareableRateLimit};
+use proxmox_schema::ApiType;
 use proxmox_sys::{task_log, task_warn};
 use proxmox_sys::logrotate::LogRotate;
 
@@ -51,7 +52,7 @@ use proxmox_time::CalendarEvent;
 
 use pbs_api_types::{
     Authid, TapeBackupJobConfig, VerificationJobConfig, SyncJobConfig, DataStoreConfig,
-    PruneOptions,
+    PruneOptions, TlsVersion, TlsSettings,
 };
 
 use proxmox_rest_server::daemon;
@@ -358,6 +359,23 @@ fn make_tls_acceptor() -> Result<SslAcceptor, Error> {
     acceptor.set_certificate_chain_file(cert_path)
         .map_err(|err| format_err!("unable to read proxy cert {} - {}", cert_path, err))?;
     acceptor.set_options(openssl::ssl::SslOptions::NO_RENEGOTIATION);
+
+    if let Some(tls_settings) = config.tls {
+        if let Ok(value) = TlsSettings::API_SCHEMA.parse_property_string(&tls_settings) {
+            if let Ok(settings) = serde_json::from_value::<TlsSettings>(value) {
+                let convert = |version: Option<TlsVersion>| {
+                    version.map(|version| match version {
+                        TlsVersion::Tls1_2 => SslVersion::TLS1_2,
+                        TlsVersion::Tls1_3 => SslVersion::TLS1_3,
+                    })
+                };
+
+                acceptor.set_min_proto_version(convert(settings.min_ver))?;
+                acceptor.set_max_proto_version(convert(settings.max_ver))?;
+            }
+        }
+    }
+
     acceptor.check_private_key().unwrap();
 
     Ok(acceptor.build())
diff --git a/src/config/node.rs b/src/config/node.rs
index 40d7b220..d96a0911 100644
--- a/src/config/node.rs
+++ b/src/config/node.rs
@@ -8,7 +8,7 @@ use proxmox_schema::{api, ApiStringFormat, ApiType, Updater};
 
 use proxmox_http::ProxyConfig;
 
-use pbs_api_types::{EMAIL_SCHEMA, OPENSSL_CIPHERS_TLS_1_2_SCHEMA, OPENSSL_CIPHERS_TLS_1_3_SCHEMA};
+use pbs_api_types::{EMAIL_SCHEMA, OPENSSL_CIPHERS_TLS_1_2_SCHEMA, OPENSSL_CIPHERS_TLS_1_3_SCHEMA, TLS_SETTINGS_STRING_SCHEMA};
 use pbs_buildcfg::configdir;
 use pbs_config::{open_backup_lockfile, BackupLockGuard};
 
@@ -100,6 +100,10 @@ pub struct AcmeConfig {
             schema: OPENSSL_CIPHERS_TLS_1_2_SCHEMA,
             optional: true,
         },
+        "tls": {
+            schema: TLS_SETTINGS_STRING_SCHEMA,
+            optional: true,
+        },
     },
 )]
 #[derive(Deserialize, Serialize, Updater)]
@@ -138,6 +142,10 @@ pub struct NodeConfig {
     /// List of TLS ciphers for TLS <= 1.2 that will be used by the proxy. (Proxy has to be restarted for changes to take effect)
     #[serde(skip_serializing_if = "Option::is_none", rename="ciphers-tls-1.2")]
     pub ciphers_tls_1_2: Option<String>,
+
+    /// TLS protocol settings that will be used by the proxy. (Proxy has to be restarted for changes to take effect)
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub tls: Option<String>,
 }
 
 impl NodeConfig {
-- 
2.30.2





^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2022-01-14 10:51 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-14 10:50 [pbs-devel] [PATCH proxmox-backup] node.cfg/proxy: add tls min/max protocol version Fabian Grünbichler

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal