Re: [PATCH proxmox-websocket-tunnel v3 6/6] use proxmox-http's openssl callback

all lists on lists.proxmox.com
 help / color / mirror / Atom feed

From: "Shannon Sterz" <s.sterz@proxmox.com>
To: "Dominik Csapak" <d.csapak@proxmox.com>,
	<pve-devel@lists.proxmox.com>, <pbs-devel@lists.proxmox.com>
Subject: Re: [PATCH proxmox-websocket-tunnel v3 6/6] use proxmox-http's openssl callback
Date: Thu, 25 Jun 2026 13:19:54 +0200	[thread overview]
Message-ID: <DJI38TPANLYK.3QIY9NCACS26F@proxmox.com> (raw)
In-Reply-To: <20260617085949.1528300-7-d.csapak@proxmox.com>

On Wed Jun 17, 2026 at 10:59 AM CEST, Dominik Csapak wrote:
> no functional change intended, since the callback there should implement
> the same behavior.
>
> With this, we can drop the dependency on itertools.
>
> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>

-->8 snip 8<--

> @@ -142,48 +142,35 @@ impl CtrlTunnel {
>          }
>
>          let mut ssl_connector_builder = SslConnector::builder(SslMethod::tls())?;
> -        if let Some(expected) = fingerprint {
> +        if fingerprint.is_some() {
>              ssl_connector_builder.set_verify_callback(
>                  openssl::ssl::SslVerifyMode::PEER,
> -                move |_valid, ctx| {
> -                    let cert = match ctx.current_cert() {
> -                        Some(cert) => cert,
> -                        None => {
> -                            // should not happen
> -                            eprintln!("SSL context lacks current certificate.");
> -                            return false;
> -                        }
> -                    };
> -
> -                    // skip CA certificates, we only care about the peer cert
> -                    let depth = ctx.error_depth();
> -                    if depth != 0 {
> -                        return true;
> -                    }
> -
> -                    use itertools::Itertools;
> -                    let fp = match cert.digest(openssl::hash::MessageDigest::sha256()) {
> -                        Ok(fp) => fp,
> -                        Err(err) => {
> -                            // should not happen
> -                            eprintln!("failed to calculate certificate FP - {}", err);
> -                            return false;
> +                move |valid, ctx| match proxmox_http::openssl_verify_callback(
> +                    valid,
> +                    ctx,
> +                    fingerprint.as_deref(),
> +                ) {
> +                    Ok(()) => true,
> +                    Err(err) => {
> +                        match err {
> +                            SslVerifyError::NoCertificate => {
> +                                eprintln!("SSL context lacks current certificate");

same nit here as in 4/6

-->8 snip 8<--

next prev parent reply	other threads:[~2026-06-25 11:20 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-17  8:59 [PATCH proxmox{,-backup,-websocket-tunnel} v3 0/6] unify openssl callback logic Dominik Csapak
2026-06-17  8:59 ` [PATCH proxmox v3 1/6] http: factor out openssl verification callback Dominik Csapak
2026-06-25 11:19   ` Shannon Sterz
2026-06-17  8:59 ` [PATCH proxmox v3 2/6] http: tls: use legacy behavior when PROXMOX_NEW_TLS_CHECK is not set Dominik Csapak
2026-06-25 11:19   ` Shannon Sterz
2026-06-17  8:59 ` [PATCH proxmox v3 3/6] client: use proxmox-http's openssl verification callback Dominik Csapak
2026-06-25 11:19   ` Shannon Sterz
2026-06-17  8:59 ` [PATCH proxmox-backup v3 4/6] pbs-client: use proxmox-https openssl callback Dominik Csapak
2026-06-25 11:19   ` Shannon Sterz
2026-06-17  8:59 ` [PATCH proxmox-backup v3 5/6] pbs-client: honor already verified fingerprint Dominik Csapak
2026-06-17  8:59 ` [PATCH proxmox-websocket-tunnel v3 6/6] use proxmox-http's openssl callback Dominik Csapak
2026-06-25 11:19   ` Shannon Sterz [this message]
2026-06-25 11:19 ` [PATCH proxmox{,-backup,-websocket-tunnel} v3 0/6] unify openssl callback logic Shannon Sterz
2026-06-25 11:22   ` [PATCH proxmox 1/3] http: tls: move PROXMOX_NEW_TLS_CHECK env var name into constant Shannon Sterz
2026-06-25 11:22     ` [PATCH proxmox 2/3] http: tls: implement `PartialEq` for `SslVerifyError` Shannon Sterz
2026-06-25 11:22     ` [PATCH proxmox 3/3] http: tls: add integration tests for openssl verify callbacks Shannon Sterz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DJI38TPANLYK.3QIY9NCACS26F@proxmox.com \
    --to=s.sterz@proxmox.com \
    --cc=d.csapak@proxmox.com \
    --cc=pbs-devel@lists.proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal