Re: [pbs-devel] [PATCH proxmox-backup v2 1/3] config: add cipher-suites to NodeConfig

all lists on lists.proxmox.com
 help / color / mirror / Atom feed

* Re: [pbs-devel] [PATCH proxmox-backup v2 1/3] config: add cipher-suites to NodeConfig
@ 2022-01-05  8:44 Dietmar Maurer
  0 siblings, 0 replies; 3+ messages in thread
From: Dietmar Maurer @ 2022-01-05  8:44 UTC (permalink / raw)
  To: Proxmox Backup Server development discussion, Hannes Laimer

> On 01/05/2022 9:23 AM Dietmar Maurer <dietmar@proxmox.com> wrote:
> 
>  
> Please can we have a more elaborate error message here?
> 
> Or even better, use a schema verify function to do the checks?

Just noticed that this is a bad idea, because we do not want API types to depend on ssl libs.




^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [pbs-devel] [PATCH proxmox-backup v2 1/3] config: add cipher-suites to NodeConfig
@ 2022-01-05  8:23 Dietmar Maurer
  0 siblings, 0 replies; 3+ messages in thread
From: Dietmar Maurer @ 2022-01-05  8:23 UTC (permalink / raw)
  To: Proxmox Backup Server development discussion, Hannes Laimer

Please can we have a more elaborate error message here?

Or even better, use a schema verify function to do the checks?

 
> +        let mut dummy_acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls()).unwrap();
> +        if let Some(cipher_suites) = self.cipher_suites_tls3.as_deref() {
> +            dummy_acceptor.set_ciphersuites(cipher_suites)?;
> +        }
> +        if let Some(cipher_suites) = self.cipher_suites_tls2.as_deref() {
> +            dummy_acceptor.set_cipher_list(cipher_suites)?;
> +        }




^ permalink raw reply	[flat|nested] 3+ messages in thread

* [pbs-devel] [PATCH proxmox-backup v2 1/3] config: add cipher-suites to NodeConfig
  2022-01-04 11:48 [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy Hannes Laimer
@ 2022-01-04 11:48 ` Hannes Laimer
  0 siblings, 0 replies; 3+ messages in thread
From: Hannes Laimer @ 2022-01-04 11:48 UTC (permalink / raw)
  To: pbs-devel

for TLS 1.3 and for TLS <= 1.2

Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
 src/config/node.rs | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/src/config/node.rs b/src/config/node.rs
index 4f2ab029..6a6038e6 100644
--- a/src/config/node.rs
+++ b/src/config/node.rs
@@ -1,5 +1,6 @@
 use std::collections::HashSet;
 
+use openssl::ssl::{SslAcceptor, SslMethod};
 use anyhow::{bail, Error};
 use serde::{Deserialize, Serialize};
 
@@ -91,6 +92,14 @@ pub struct AcmeConfig {
             schema: EMAIL_SCHEMA,
             optional: true,
         },
+        "cipher-suites-tls3": {
+            optional: true,
+            type: String,
+        },
+        "cipher-suites-tls2": {
+            optional: true,
+            type: String,
+        },
     },
 )]
 #[derive(Deserialize, Serialize, Updater)]
@@ -121,6 +130,14 @@ pub struct NodeConfig {
     
     #[serde(skip_serializing_if = "Option::is_none")]
     pub email_from: Option<String>,
+
+    /// List of SSL ciphers for tls 1.3 that will be used by the proxy. (Proxy has to be restarted for changes to take effect)
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub cipher_suites_tls3: Option<String>,
+    
+    /// List of SSL ciphers for tls <= 1.2 that will be used by the proxy. (Proxy has to be restarted for changes to take effect)
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub cipher_suites_tls2: Option<String>,
 }
 
 impl NodeConfig {
@@ -172,6 +189,13 @@ impl NodeConfig {
                 bail!("duplicate domain '{}' in ACME config", domain.domain);
             }
         }
+        let mut dummy_acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls()).unwrap();
+        if let Some(cipher_suites) = self.cipher_suites_tls3.as_deref() {
+            dummy_acceptor.set_ciphersuites(cipher_suites)?;
+        }
+        if let Some(cipher_suites) = self.cipher_suites_tls2.as_deref() {
+            dummy_acceptor.set_cipher_list(cipher_suites)?;
+        }
 
         Ok(())
     }
-- 
2.30.2





^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2022-01-05  8:44 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-05  8:44 [pbs-devel] [PATCH proxmox-backup v2 1/3] config: add cipher-suites to NodeConfig Dietmar Maurer
  -- strict thread matches above, loose matches on Subject: below --
2022-01-05  8:23 Dietmar Maurer
2022-01-04 11:48 [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy Hannes Laimer
2022-01-04 11:48 ` [pbs-devel] [PATCH proxmox-backup v2 1/3] config: add cipher-suites to NodeConfig Hannes Laimer

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal