Re: [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy

Re: [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy

[Dietmar Maurer]

> Yes, but just hardcoding the list probably wont be enough since the 
> string is allowed to contain !,+,- and some other things[1]. This check 
> was mostly thought to check if the proxy would still start with the 
> given chiphers, not if the given string was valid. Also I'm not sure if 
> we should be more strict than openssl[2].

Please test what happens when you pass a string including a newline. I am quite sure we do not want or need that.

Re: [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy

[Hannes Laimer]

Am 05.01.22 um 10:27 schrieb Dietmar Maurer:
> 
>> But this does not throw an error:
>>
>> # proxmox-backup-manager node update --cipher-suites-tls2 asdasd,BBB,BBB.XZY,ECDHE-RSA-AES256-SHA
>>
>> Seems ssl simply ignores all unknown ciphers. The only error is when the list contains no known cipher.
> 
> I wonder if we can hardcode the list of available values and parse it correctly? Allowed values would be:
> 
> # openssl ciphers -tls1_2
> # openssl ciphers -tls1_3

Yes, but just hardcoding the list probably wont be enough since the 
string is allowed to contain !,+,- and some other things[1]. This check 
was mostly thought to check if the proxy would still start with the 
given chiphers, not if the given string was valid. Also I'm not sure if 
we should be more strict than openssl[2].

[1] https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
[2] 
https://github.com/openssl/openssl/blob/master/doc/man3/SSL_CTX_set_cipher_list.pod#notes

Re: [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy

[Dietmar Maurer]

> But this does not throw an error:
> 
> # proxmox-backup-manager node update --cipher-suites-tls2 asdasd,BBB,BBB.XZY,ECDHE-RSA-AES256-SHA
> 
> Seems ssl simply ignores all unknown ciphers. The only error is when the list contains no known cipher.

I wonder if we can hardcode the list of available values and parse it correctly? Allowed values would be:

# openssl ciphers -tls1_2
# openssl ciphers -tls1_3

Re: [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy

[Dietmar Maurer]

> I can do the following without getting an error:
> 
> # proxmox-backup-manager node update --cipher-suites-tls2 asdasd,BBB,BBB.XZY
> 
> This makes no sense to me!

Need to correct myself, I get the following error:

Error: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2566:

But this does not throw an error:

# proxmox-backup-manager node update --cipher-suites-tls2 asdasd,BBB,BBB.XZY,ECDHE-RSA-AES256-SHA

Seems ssl simply ignores all unknown ciphers. The only error is when the list contains no known cipher.

Re: [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy

[Dietmar Maurer]

I can do the following without getting an error:

# proxmox-backup-manager node update --cipher-suites-tls2 asdasd,BBB,BBB.XZY

This makes no sense to me!


> On 01/04/2022 12:48 PM Hannes Laimer <h.laimer@proxmox.com> wrote:
> 
>  
> Cannot be configured in the WebUI, only through proxmox-backup-manager,
> api or in the config file directly(not recommended). For changes to take
> effect the proxy has to be restarted.
> 
> Since the string can be rather long and I assume most of the time the
> defaults are used, it is not in the WebUI.
> 
> v2:
>   - allow setting for TLSv1.3 and TLS <= 1.2 individually
> 
> Hannes Laimer (3):
>   config: add cipher-suites to NodeConfig
>   proxy: use ssl cipher-suites from config if set
>   api2: make cipher-suites updatable
> 
>  src/api2/node/config.rs         |  8 ++++++++
>  src/bin/proxmox-backup-proxy.rs | 10 ++++++++++
>  src/config/node.rs              | 24 ++++++++++++++++++++++++
>  3 files changed, 42 insertions(+)
> 
> -- 
> 2.30.2
> 
> 
> 
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

[pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy

[Hannes Laimer]

Cannot be configured in the WebUI, only through proxmox-backup-manager,
api or in the config file directly(not recommended). For changes to take
effect the proxy has to be restarted.

Since the string can be rather long and I assume most of the time the
defaults are used, it is not in the WebUI.

v2:
  - allow setting for TLSv1.3 and TLS <= 1.2 individually

Hannes Laimer (3):
  config: add cipher-suites to NodeConfig
  proxy: use ssl cipher-suites from config if set
  api2: make cipher-suites updatable

 src/api2/node/config.rs         |  8 ++++++++
 src/bin/proxmox-backup-proxy.rs | 10 ++++++++++
 src/config/node.rs              | 24 ++++++++++++++++++++++++
 3 files changed, 42 insertions(+)

-- 
2.30.2