[PATCH datacenter-manager 06/17] client: don't short-circuit on valid certificate when tls fp exists

all lists on lists.proxmox.com
 help / color / mirror / Atom feed

From: Shannon Sterz <s.sterz@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [PATCH datacenter-manager 06/17] client: don't short-circuit on valid certificate when tls fp exists
Date: Thu, 11 Jun 2026 14:03:16 +0200	[thread overview]
Message-ID: <20260611120327.257523-7-s.sterz@proxmox.com> (raw)
In-Reply-To: <20260611120327.257523-1-s.sterz@proxmox.com>

if a user intentionally sets a fingerprint, the assumption is that
this acts similar to tls certificate pinning [1]. if we short-circuit
return on certificates trusted by the system's trust store (meaning,
if the `valid` parameter that is passed to the callback is true), this
assumption is broken. any certificate that is trusted by the
certificate store, whether there is one pinned for the corresponding
host or not, is trusted.

avoid this by not short-circuiting, but instead using that parameter
only if we don't have a fingerprint stored for a given host.

[1]: https://cheatsheetseries.owasp.org/cheatsheets/Pinning_Cheat_Sheet.html#what-is-pinning

Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 cli/client/src/env/fingerprint_cache.rs | 5 +++--
 cli/client/src/env/mod.rs               | 8 ++++++--
 cli/client/src/main.rs                  | 6 +-----
 3 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/cli/client/src/env/fingerprint_cache.rs b/cli/client/src/env/fingerprint_cache.rs
index b9a9f972..af48c353 100644
--- a/cli/client/src/env/fingerprint_cache.rs
+++ b/cli/client/src/env/fingerprint_cache.rs
@@ -125,6 +125,7 @@ impl FingerprintCache {
         &self,
         hostname: &str,
         chain: &mut X509StoreContextRef,
+        valid: bool,
     ) -> Result<VerifyResult, Error> {
         let cert = chain
             .current_cert()
@@ -142,8 +143,8 @@ impl FingerprintCache {
         let fp = Fingerprint::try_from(&*fp)
             .map_err(|_| format_err!("unexpected fingerprint length"))?;
 
-        if !self.interactive {
-            return Ok(VerifyResult::unmodified(false));
+        if !self.interactive || valid {
+            return Ok(VerifyResult::unmodified(valid));
         }
 
         println!("Certificate SHA256 fingerprint: {fp}");
diff --git a/cli/client/src/env/mod.rs b/cli/client/src/env/mod.rs
index 44a9388f..7c35e2a2 100644
--- a/cli/client/src/env/mod.rs
+++ b/cli/client/src/env/mod.rs
@@ -147,9 +147,13 @@ impl Env {
         Ok(())
     }
 
-    pub fn verify_cert(&self, chain: &mut x509::X509StoreContextRef) -> Result<bool, Error> {
+    pub fn verify_cert(
+        &self,
+        chain: &mut x509::X509StoreContextRef,
+        valid: bool,
+    ) -> Result<bool, Error> {
         let result = match self.connect_args.host.as_deref() {
-            Some(server) => self.fingerprint_cache.verify(server, chain)?,
+            Some(server) => self.fingerprint_cache.verify(server, chain, valid)?,
             None => return Ok(false),
         };
 
diff --git a/cli/client/src/main.rs b/cli/client/src/main.rs
index 4598a2bd..95b5b41f 100644
--- a/cli/client/src/main.rs
+++ b/cli/client/src/main.rs
@@ -47,11 +47,7 @@ pub fn client() -> Result<PdmClient<Client>, Error> {
     let address = env().url()?.parse()?;
 
     let options = TlsOptions::Callback(Box::new(|valid, store| {
-        if valid {
-            return true;
-        }
-
-        match env().verify_cert(store) {
+        match env().verify_cert(store, valid) {
             Ok(b) => b,
             Err(err) => {
                 eprintln!("failed to validate TLS certificate: {err}");
-- 
2.47.3

next prev parent reply	other threads:[~2026-06-11 12:03 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-11 12:03 [RFC cluster/datacenter-manager/manager/proxmox 00/17] TLS Certificate Staging Shannon Sterz
2026-06-11 12:03 ` [PATCH cluster 01/17] setup: allow caller to provide the certificate filename Shannon Sterz
2026-06-11 12:03 ` [PATCH manager 02/17] bin/api: add a new staged certificate when renewing self-signed cert Shannon Sterz
2026-06-11 12:03 ` [PATCH manager 03/17] api: certificates: if node parameter is 'localhost' return local certs Shannon Sterz
2026-06-11 12:03 ` [PATCH proxmox 04/17] client: ignore certificate trust store validation result on fp option Shannon Sterz
2026-06-11 12:03 ` [PATCH proxmox 05/17] pve-api-types: expose certificates info endpoint Shannon Sterz
2026-06-11 12:03 ` Shannon Sterz [this message]
2026-06-11 12:03 ` [PATCH datacenter-manager 07/17] client: allow users to update a changed fingerprint interactively Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 08/17] cli/api-types: move Fingerprint to common api type crate Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 09/17] server: connection: report mismatching fingerprint as untrusted on probe Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 10/17] ui: wizzard: add context if a provided fingerprint did not match remote Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 11/17] ui: wizzard: nodes page: always update fingerprints on user confirmation Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 12/17] pdm-api-types: implement ApiType for Fingerprint Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 13/17] pdm-api-types: add staged_fingerprints field to NodeUrl Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 14/17] server: remotes: lock remotes config when updating it Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 15/17] server: connection: rotate in staged fingerprints when encountering them Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 16/17] server: api: tasks: move `spawn_aborted_on_shutdown()` to super module Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 17/17] server: bin: api: tasks: add task to discover new staged certificates Shannon Sterz

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:b9a9f97 dfblob:af48c35 dfblob:44a9388 dfblob:7c35e2a
dfblob:4598a2b dfblob:95b5b41 )
 OR (
bs:"[PATCH datacenter-manager 06/17] client: don't short-circuit on valid certificate when tls fp exists" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260611120327.257523-7-s.sterz@proxmox.com \
    --to=s.sterz@proxmox.com \
    --cc=pdm-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal