From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id E8DE51FF13C
	for <inbox@lore.proxmox.com>; Thu, 25 Jun 2026 13:20:17 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id BD25EDAA5;
	Thu, 25 Jun 2026 13:20:09 +0200 (CEST)
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset=UTF-8
Date: Thu, 25 Jun 2026 13:19:54 +0200
Message-Id: <DJI38TPANLYK.3QIY9NCACS26F@proxmox.com>
To: "Dominik Csapak" <d.csapak@proxmox.com>, <pve-devel@lists.proxmox.com>,
 <pbs-devel@lists.proxmox.com>
Subject: Re: [PATCH proxmox-websocket-tunnel v3 6/6] use proxmox-http's
 openssl callback
X-Mailer: aerc 0.20.0
References: <20260617085949.1528300-1-d.csapak@proxmox.com>
 <20260617085949.1528300-7-d.csapak@proxmox.com>
In-Reply-To: <20260617085949.1528300-7-d.csapak@proxmox.com>
From: "Shannon Sterz" <s.sterz@proxmox.com>
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1782386389837
X-SPAM-LEVEL: Spam detection results:  0
	AWL                     0.106 Adjusted score from AWL reputation of From:
 address
	BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
	DMARC_MISSING             0.1 Missing DMARC policy
	KAM_DMARC_STATUS         0.01 Test Rule for DKIM or SPF Failure with Strict
 Alignment
	SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
	SPF_PASS               -0.001 SPF: sender matches SPF record
Message-ID-Hash: ZMI63XC53FJOXGZVBHKME6NIENYXEKKC
X-Message-ID-Hash: ZMI63XC53FJOXGZVBHKME6NIENYXEKKC
X-MailFrom: s.sterz@proxmox.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop;
 banned-address; emergency; member-moderation; nonmember-moderation;
 administrivia; implicit-dest; max-recipients; max-size; news-moderation;
 no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.10
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Owner: <mailto:pbs-devel-owner@lists.proxmox.com>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Subscribe: <mailto:pbs-devel-join@lists.proxmox.com>
List-Unsubscribe: <mailto:pbs-devel-leave@lists.proxmox.com>

On Wed Jun 17, 2026 at 10:59 AM CEST, Dominik Csapak wrote:
> no functional change intended, since the callback there should implement
> the same behavior.
>
> With this, we can drop the dependency on itertools.
>
> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>

-->8 snip 8<--

> @@ -142,48 +142,35 @@ impl CtrlTunnel {
>          }
>
>          let mut ssl_connector_builder =3D SslConnector::builder(SslMetho=
d::tls())?;
> -        if let Some(expected) =3D fingerprint {
> +        if fingerprint.is_some() {
>              ssl_connector_builder.set_verify_callback(
>                  openssl::ssl::SslVerifyMode::PEER,
> -                move |_valid, ctx| {
> -                    let cert =3D match ctx.current_cert() {
> -                        Some(cert) =3D> cert,
> -                        None =3D> {
> -                            // should not happen
> -                            eprintln!("SSL context lacks current certifi=
cate.");
> -                            return false;
> -                        }
> -                    };
> -
> -                    // skip CA certificates, we only care about the peer=
 cert
> -                    let depth =3D ctx.error_depth();
> -                    if depth !=3D 0 {
> -                        return true;
> -                    }
> -
> -                    use itertools::Itertools;
> -                    let fp =3D match cert.digest(openssl::hash::MessageD=
igest::sha256()) {
> -                        Ok(fp) =3D> fp,
> -                        Err(err) =3D> {
> -                            // should not happen
> -                            eprintln!("failed to calculate certificate F=
P - {}", err);
> -                            return false;
> +                move |valid, ctx| match proxmox_http::openssl_verify_cal=
lback(
> +                    valid,
> +                    ctx,
> +                    fingerprint.as_deref(),
> +                ) {
> +                    Ok(()) =3D> true,
> +                    Err(err) =3D> {
> +                        match err {
> +                            SslVerifyError::NoCertificate =3D> {
> +                                eprintln!("SSL context lacks current cer=
tificate");

same nit here as in 4/6

-->8 snip 8<--