From: Dominik Csapak <d.csapak@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-websocket-tunnel 2/2] use proxmox-http's openssl callback
Date: Wed, 21 May 2025 10:45:23 +0200 [thread overview]
Message-ID: <20250521084524.829496-5-d.csapak@proxmox.com> (raw)
In-Reply-To: <20250521084524.829496-1-d.csapak@proxmox.com>
no functional change intended, since the callback there should implement
the same behavior.
With this, we can drop the dependency on itertools.
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
Cargo.toml | 3 +--
src/main.rs | 66 ++++++++++++++++++++++-------------------------------
2 files changed, 28 insertions(+), 41 deletions(-)
diff --git a/Cargo.toml b/Cargo.toml
index 008bf4c..0f8f375 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -15,7 +15,6 @@ futures = "0.3"
futures-util = "0.3"
hex = "0.4"
hyper = "0.14"
-itertools = "0.10"
openssl = "0.10"
percent-encoding = "2"
serde = { version = "1.0", features = ["derive"] }
@@ -24,5 +23,5 @@ tokio = { version = "1", features = ["io-std", "io-util", "macros", "rt-multi-th
tokio-stream = { version = "0.1", features = ["io-util"] }
tokio-util = "0.7"
-proxmox-http = { version = "0.9", features = ["websocket", "client"] }
+proxmox-http = { version = "0.9", features = ["websocket", "client", "tls"] }
proxmox-sys = "0.6"
diff --git a/src/main.rs b/src/main.rs
index 53ac48d..0ab2943 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -24,6 +24,7 @@ use tokio_stream::StreamExt;
use proxmox_http::client::HttpsConnector;
use proxmox_http::websocket::{OpCode, WebSocket, WebSocketReader, WebSocketWriter};
+use proxmox_http::SslVerifyError;
#[derive(Serialize, Deserialize, Debug)]
#[serde(rename_all = "kebab-case")]
@@ -140,48 +141,35 @@ impl CtrlTunnel {
}
let mut ssl_connector_builder = SslConnector::builder(SslMethod::tls())?;
- if let Some(expected) = fingerprint {
+ if fingerprint.is_some() {
ssl_connector_builder.set_verify_callback(
openssl::ssl::SslVerifyMode::PEER,
- move |_valid, ctx| {
- let cert = match ctx.current_cert() {
- Some(cert) => cert,
- None => {
- // should not happen
- eprintln!("SSL context lacks current certificate.");
- return false;
- }
- };
-
- // skip CA certificates, we only care about the peer cert
- let depth = ctx.error_depth();
- if depth != 0 {
- return true;
- }
-
- use itertools::Itertools;
- let fp = match cert.digest(openssl::hash::MessageDigest::sha256()) {
- Ok(fp) => fp,
- Err(err) => {
- // should not happen
- eprintln!("failed to calculate certificate FP - {}", err);
- return false;
+ move |valid, ctx| match proxmox_http::openssl_verify_callback(
+ valid,
+ ctx,
+ fingerprint.as_deref(),
+ ) {
+ Ok(()) => true,
+ Err(err) => {
+ match err {
+ SslVerifyError::NoCertificate => {
+ eprintln!("SSL context lacks current certificate");
+ }
+ SslVerifyError::InvalidFingerprint(err) => {
+ eprintln!("failed to calculate certificate FP - {err}")
+ }
+ SslVerifyError::FingerprintMismatch {
+ fingerprint,
+ expected,
+ } => {
+ eprintln!(
+ "certificate fingerprint does not match expected fingerprint!"
+ );
+ eprintln!("expected: {expected}");
+ eprintln!("encountered: {fingerprint}");
+ }
+ SslVerifyError::UntrustedCertificate { .. } => {}
}
- };
- let fp_string = hex::encode(fp);
- let fp_string = fp_string
- .as_bytes()
- .chunks(2)
- .map(|v| unsafe { std::str::from_utf8_unchecked(v) })
- .join(":");
-
- let expected = expected.to_lowercase();
- if expected == fp_string {
- true
- } else {
- eprintln!("certificate fingerprint does not match expected fingerprint!");
- eprintln!("expected: {}", expected);
- eprintln!("encountered: {}", fp_string);
false
}
},
--
2.39.5
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
next prev parent reply other threads:[~2025-05-21 8:45 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-21 8:45 [pbs-devel] [PATCH proxmox{, -websocket-tunnel, -backup} 0/5] unify openssl callback logic Dominik Csapak
2025-05-21 8:45 ` [pbs-devel] [PATCH proxmox 1/2] http: factor out openssl verification callback Dominik Csapak
2025-07-23 19:26 ` Thomas Lamprecht
2025-07-24 7:31 ` Dominik Csapak
2025-05-21 8:45 ` [pbs-devel] [PATCH proxmox 2/2] client: use proxmox-http's " Dominik Csapak
2025-05-21 8:45 ` [pbs-devel] [PATCH proxmox-websocket-tunnel 1/2] update base64 dependency Dominik Csapak
2025-05-21 8:45 ` Dominik Csapak [this message]
2025-05-21 8:45 ` [pbs-devel] [PATCH proxmox-backup 1/1] pbs-client: use proxmox-https openssl callback Dominik Csapak
2025-07-24 8:59 ` [pbs-devel] superseded: [PATCH proxmox{, -websocket-tunnel, -backup} 0/5] unify openssl callback logic Dominik Csapak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250521084524.829496-5-d.csapak@proxmox.com \
--to=d.csapak@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal