From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id B2FEC1FF13C for ; Thu, 25 Jun 2026 13:20:27 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 67712DC9A; Thu, 25 Jun 2026 13:20:11 +0200 (CEST) Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Thu, 25 Jun 2026 13:19:30 +0200 Message-Id: Subject: Re: [PATCH proxmox{,-backup,-websocket-tunnel} v3 0/6] unify openssl callback logic To: "Dominik Csapak" , , X-Mailer: aerc 0.20.0 References: <20260617085949.1528300-1-d.csapak@proxmox.com> In-Reply-To: <20260617085949.1528300-1-d.csapak@proxmox.com> From: "Shannon Sterz" X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1782386369784 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.106 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [proxmox.com] Message-ID-Hash: KWRL3FCXONQUPZ7I7BINLJHZEJQGA24Q X-Message-ID-Hash: KWRL3FCXONQUPZ7I7BINLJHZEJQGA24Q X-MailFrom: s.sterz@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Wed Jun 17, 2026 at 10:59 AM CEST, Dominik Csapak wrote: > There are currently 3+ slightly different implementations of the openssl > verify callback in place. They differ in how an explicit fingerprint > would be checked: first off, thanks for tackling this. unifying this behavior makes a lot of sense imo. -->8 snip 8<-- > The last patch of the proxmox-http crate is to preserve backwards compati= bility > with the current pbs client behavior, but can be switched to the new 'cor= rect' > one via environment variable (which we might want to enable automatically= for > the websocket-tunnel?) after discussing this with fabian we came to conclusion that this behavior should probably be opt-out, not opt-in. we can opt-in existing installs on update, but avoid having new installs and new users use the old behavior by accident. personally, websocket-tunnel should definitively be kept at its current behavior. leting it regress to "wrong" behavior sounds wrong to me. -->8 snip 8<-- > I tried to implement some tests, but due to the openssl interface this > seems to be not really possible, except if we'd start a server + client > in the tests (which seems overkill). But if anyone has an idea how we > could test this code (and i mean not only it's interface, but the > openssl connection behavior), I'd be glad. as discussed off list, adding tests for this does make a lot of sense. even if it means manually spawning a server that we can test against. we already do something similar for other crates such as `proxmox-ldap` and as you pointed out, we managed to get this "wrong" several times over, so the effort is imo justified. attached to this review, i send three patches that implement such tests. these three are intended to be applied on top of your patches for the "proxmox" repo. feel free to either incorporate them into your series or adjust them/provide feedback on them :) > This series partially overlaps/interferes with shannons recent series: > https://lore.proxmox.com/pdm-devel/20260611120327.257523-1-s.sterz@proxmo= x.com/ > > Depending on whether this or shannons series is applied first, I'd either > send a follow-up for PDM or a new version rebased on shannons. btw. same here, i'd also be up for merging parts of these series if it makes reviewing/applying them easier. -->8 snip 8<--