* Re: [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy
@ 2022-01-05 9:27 Dietmar Maurer
2022-01-05 13:53 ` Hannes Laimer
0 siblings, 1 reply; 6+ messages in thread
From: Dietmar Maurer @ 2022-01-05 9:27 UTC (permalink / raw)
To: Proxmox Backup Server development discussion, Hannes Laimer
> But this does not throw an error:
>
> # proxmox-backup-manager node update --cipher-suites-tls2 asdasd,BBB,BBB.XZY,ECDHE-RSA-AES256-SHA
>
> Seems ssl simply ignores all unknown ciphers. The only error is when the list contains no known cipher.
I wonder if we can hardcode the list of available values and parse it correctly? Allowed values would be:
# openssl ciphers -tls1_2
# openssl ciphers -tls1_3
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy
@ 2022-01-05 15:16 Dietmar Maurer
0 siblings, 0 replies; 6+ messages in thread
From: Dietmar Maurer @ 2022-01-05 15:16 UTC (permalink / raw)
To: Hannes Laimer, Proxmox Backup Server development discussion
> Yes, but just hardcoding the list probably wont be enough since the
> string is allowed to contain !,+,- and some other things[1]. This check
> was mostly thought to check if the proxy would still start with the
> given chiphers, not if the given string was valid. Also I'm not sure if
> we should be more strict than openssl[2].
Please test what happens when you pass a string including a newline. I am quite sure we do not want or need that.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy
@ 2022-01-05 9:09 Dietmar Maurer
0 siblings, 0 replies; 6+ messages in thread
From: Dietmar Maurer @ 2022-01-05 9:09 UTC (permalink / raw)
To: Proxmox Backup Server development discussion, Hannes Laimer
> I can do the following without getting an error:
>
> # proxmox-backup-manager node update --cipher-suites-tls2 asdasd,BBB,BBB.XZY
>
> This makes no sense to me!
Need to correct myself, I get the following error:
Error: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2566:
But this does not throw an error:
# proxmox-backup-manager node update --cipher-suites-tls2 asdasd,BBB,BBB.XZY,ECDHE-RSA-AES256-SHA
Seems ssl simply ignores all unknown ciphers. The only error is when the list contains no known cipher.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy
@ 2022-01-05 8:55 Dietmar Maurer
0 siblings, 0 replies; 6+ messages in thread
From: Dietmar Maurer @ 2022-01-05 8:55 UTC (permalink / raw)
To: Proxmox Backup Server development discussion, Hannes Laimer
I can do the following without getting an error:
# proxmox-backup-manager node update --cipher-suites-tls2 asdasd,BBB,BBB.XZY
This makes no sense to me!
> On 01/04/2022 12:48 PM Hannes Laimer <h.laimer@proxmox.com> wrote:
>
>
> Cannot be configured in the WebUI, only through proxmox-backup-manager,
> api or in the config file directly(not recommended). For changes to take
> effect the proxy has to be restarted.
>
> Since the string can be rather long and I assume most of the time the
> defaults are used, it is not in the WebUI.
>
> v2:
> - allow setting for TLSv1.3 and TLS <= 1.2 individually
>
> Hannes Laimer (3):
> config: add cipher-suites to NodeConfig
> proxy: use ssl cipher-suites from config if set
> api2: make cipher-suites updatable
>
> src/api2/node/config.rs | 8 ++++++++
> src/bin/proxmox-backup-proxy.rs | 10 ++++++++++
> src/config/node.rs | 24 ++++++++++++++++++++++++
> 3 files changed, 42 insertions(+)
>
> --
> 2.30.2
>
>
>
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy
@ 2022-01-04 11:48 Hannes Laimer
0 siblings, 0 replies; 6+ messages in thread
From: Hannes Laimer @ 2022-01-04 11:48 UTC (permalink / raw)
To: pbs-devel
Cannot be configured in the WebUI, only through proxmox-backup-manager,
api or in the config file directly(not recommended). For changes to take
effect the proxy has to be restarted.
Since the string can be rather long and I assume most of the time the
defaults are used, it is not in the WebUI.
v2:
- allow setting for TLSv1.3 and TLS <= 1.2 individually
Hannes Laimer (3):
config: add cipher-suites to NodeConfig
proxy: use ssl cipher-suites from config if set
api2: make cipher-suites updatable
src/api2/node/config.rs | 8 ++++++++
src/bin/proxmox-backup-proxy.rs | 10 ++++++++++
src/config/node.rs | 24 ++++++++++++++++++++++++
3 files changed, 42 insertions(+)
--
2.30.2
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-01-05 15:17 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-05 9:27 [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy Dietmar Maurer
2022-01-05 13:53 ` Hannes Laimer
-- strict thread matches above, loose matches on Subject: below --
2022-01-05 15:16 Dietmar Maurer
2022-01-05 9:09 Dietmar Maurer
2022-01-05 8:55 Dietmar Maurer
2022-01-04 11:48 Hannes Laimer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox