From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 862B71FF13C
	for <inbox@lore.proxmox.com>; Thu, 25 Jun 2026 13:20:38 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 1999BDE33;
	Thu, 25 Jun 2026 13:20:37 +0200 (CEST)
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
Date: Thu, 25 Jun 2026 13:19:43 +0200
Message-Id: <DJI38OV2PW03.DQF4USIWN9BH@proxmox.com>
Subject: Re: [PATCH proxmox v3 3/6] client: use proxmox-http's openssl
 verification callback
To: "Dominik Csapak" <d.csapak@proxmox.com>, <pve-devel@lists.proxmox.com>,
 <pbs-devel@lists.proxmox.com>
X-Mailer: aerc 0.20.0
References: <20260617085949.1528300-1-d.csapak@proxmox.com>
 <20260617085949.1528300-4-d.csapak@proxmox.com>
In-Reply-To: <20260617085949.1528300-4-d.csapak@proxmox.com>
From: "Shannon Sterz" <s.sterz@proxmox.com>
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1782386379303
X-SPAM-LEVEL: Spam detection results:  0
	AWL                     0.106 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: IM7PLQXISKTDB4WI3MEKQFMCVFQBJ33J
X-Message-ID-Hash: IM7PLQXISKTDB4WI3MEKQFMCVFQBJ33J
X-MailFrom: s.sterz@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pbs-devel-owner@lists.proxmox.com>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Subscribe: <mailto:pbs-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pbs-devel-leave@lists.proxmox.com>

On Wed Jun 17, 2026 at 10:59 AM CEST, Dominik Csapak wrote:
> This changes the validation logic by always checking the fingerprint of
> the leaf certificate, ignoring the openssl verification if a fingerprint
> is configured. This now aligns with our perl implementation and the one
> for proxmox-websocket-tunnel.
>
> Before, a valid certificate chain would have precedence over an explicit
> fingerprint.
>
> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
> ---
>  proxmox-client/Cargo.toml    |  2 +-
>  proxmox-client/src/client.rs | 69 +++++++++++++-----------------------
>  2 files changed, 25 insertions(+), 46 deletions(-)
>
> diff --git a/proxmox-client/Cargo.toml b/proxmox-client/Cargo.toml
> index 6ca33420..5cbcecd8 100644
> --- a/proxmox-client/Cargo.toml
> +++ b/proxmox-client/Cargo.toml
> @@ -25,7 +25,7 @@ openssl =3D { workspace =3D true, optional =3D true }
>
>  proxmox-login =3D { workspace =3D true, features =3D [ "http" ] }
>
> -proxmox-http =3D { workspace =3D true, optional =3D true, features =3D [=
 "client" ] }
> +proxmox-http =3D { workspace =3D true, optional =3D true, features =3D [=
 "client", "tls" ] }
>  hyper =3D { workspace =3D true, optional =3D true }
>  hyper-util =3D { workspace =3D true, optional =3D true, features =3D [ "=
client-legacy" ] }
>
> diff --git a/proxmox-client/src/client.rs b/proxmox-client/src/client.rs
> index 26913dbb..1a1d3fa8 100644
> --- a/proxmox-client/src/client.rs
> +++ b/proxmox-client/src/client.rs
> @@ -12,6 +12,8 @@ use http_body_util::BodyExt;
>  use openssl::hash::MessageDigest;
>  use openssl::ssl::{SslConnector, SslMethod, SslVerifyMode};
>  use openssl::x509::{self, X509};
> +use proxmox_http::SslVerifyError;
> +use proxmox_http::get_fingerprint_from_u8;
>  use proxmox_login::Ticket;
>  use serde::Serialize;
>
> @@ -110,10 +112,29 @@ impl Client {
>              TlsOptions::Insecure =3D> connector.set_verify(SslVerifyMode=
::NONE),
>              TlsOptions::Fingerprint(expected_fingerprint) =3D> {
>                  connector.set_verify_callback(SslVerifyMode::PEER, move =
|valid, chain| {
> -                    if valid {
> -                        return true;
> +                    let fp =3D get_fingerprint_from_u8(&expected_fingerp=
rint);
> +                    match proxmox_http::openssl_verify_callback(valid, c=
hain, Some(&fp)) {
> +                        Ok(()) =3D> true,
> +                        Err(err) =3D> {
> +                            match err {
> +                                SslVerifyError::FingerprintMismatch {
> +                                    fingerprint,
> +                                    expected,
> +                                } =3D> {
> +                                    log::error!("bad fingerprint: {finge=
rprint}");
> +                                    log::error!("expected fingerprint: {=
expected}");
> +                                    log::error!(
> +                                        r#"If this fingerprint has worke=
d before, it is possible that it changed on the remote
> +side. This can happen, for example, if the remote rotates it's certifica=
te regularly.

pre-existing nit (and i think my fault, sorry), but /it's/its/

-->8 snip 8<--