Re: [pbs-devel] [PATCH proxmox-backup v2 1/3] config: add cipher-suites to NodeConfig

Re: [pbs-devel] [PATCH proxmox-backup v2 1/3] config: add cipher-suites to NodeConfig

[Dietmar Maurer]

Please can we have a more elaborate error message here?

Or even better, use a schema verify function to do the checks?

 
> +        let mut dummy_acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls()).unwrap();
> +        if let Some(cipher_suites) = self.cipher_suites_tls3.as_deref() {
> +            dummy_acceptor.set_ciphersuites(cipher_suites)?;
> +        }
> +        if let Some(cipher_suites) = self.cipher_suites_tls2.as_deref() {
> +            dummy_acceptor.set_cipher_list(cipher_suites)?;
> +        }

Re: [pbs-devel] [PATCH proxmox-backup v2 1/3] config: add cipher-suites to NodeConfig

[Dietmar Maurer]

> On 01/05/2022 9:23 AM Dietmar Maurer <dietmar@proxmox.com> wrote:
> 
>  
> Please can we have a more elaborate error message here?
> 
> Or even better, use a schema verify function to do the checks?

Just noticed that this is a bad idea, because we do not want API types to depend on ssl libs.

[pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy

[Hannes Laimer]

Cannot be configured in the WebUI, only through proxmox-backup-manager,
api or in the config file directly(not recommended). For changes to take
effect the proxy has to be restarted.

Since the string can be rather long and I assume most of the time the
defaults are used, it is not in the WebUI.

v2:
  - allow setting for TLSv1.3 and TLS <= 1.2 individually

Hannes Laimer (3):
  config: add cipher-suites to NodeConfig
  proxy: use ssl cipher-suites from config if set
  api2: make cipher-suites updatable

 src/api2/node/config.rs         |  8 ++++++++
 src/bin/proxmox-backup-proxy.rs | 10 ++++++++++
 src/config/node.rs              | 24 ++++++++++++++++++++++++
 3 files changed, 42 insertions(+)

-- 
2.30.2

[pbs-devel] [PATCH proxmox-backup v2 1/3] config: add cipher-suites to NodeConfig

[Hannes Laimer]

for TLS 1.3 and for TLS <= 1.2

Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
 src/config/node.rs | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/src/config/node.rs b/src/config/node.rs
index 4f2ab029..6a6038e6 100644
--- a/src/config/node.rs
+++ b/src/config/node.rs
@@ -1,5 +1,6 @@
 use std::collections::HashSet;
 
+use openssl::ssl::{SslAcceptor, SslMethod};
 use anyhow::{bail, Error};
 use serde::{Deserialize, Serialize};
 
@@ -91,6 +92,14 @@ pub struct AcmeConfig {
             schema: EMAIL_SCHEMA,
             optional: true,
         },
+        "cipher-suites-tls3": {
+            optional: true,
+            type: String,
+        },
+        "cipher-suites-tls2": {
+            optional: true,
+            type: String,
+        },
     },
 )]
 #[derive(Deserialize, Serialize, Updater)]
@@ -121,6 +130,14 @@ pub struct NodeConfig {
     
     #[serde(skip_serializing_if = "Option::is_none")]
     pub email_from: Option<String>,
+
+    /// List of SSL ciphers for tls 1.3 that will be used by the proxy. (Proxy has to be restarted for changes to take effect)
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub cipher_suites_tls3: Option<String>,
+    
+    /// List of SSL ciphers for tls <= 1.2 that will be used by the proxy. (Proxy has to be restarted for changes to take effect)
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub cipher_suites_tls2: Option<String>,
 }
 
 impl NodeConfig {
@@ -172,6 +189,13 @@ impl NodeConfig {
                 bail!("duplicate domain '{}' in ACME config", domain.domain);
             }
         }
+        let mut dummy_acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls()).unwrap();
+        if let Some(cipher_suites) = self.cipher_suites_tls3.as_deref() {
+            dummy_acceptor.set_ciphersuites(cipher_suites)?;
+        }
+        if let Some(cipher_suites) = self.cipher_suites_tls2.as_deref() {
+            dummy_acceptor.set_cipher_list(cipher_suites)?;
+        }
 
         Ok(())
     }
-- 
2.30.2