public inbox for pbs-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* Re: [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy
@ 2022-01-05 15:16 Dietmar Maurer
  0 siblings, 0 replies; 6+ messages in thread
From: Dietmar Maurer @ 2022-01-05 15:16 UTC (permalink / raw)
  To: Hannes Laimer, Proxmox Backup Server development discussion

> Yes, but just hardcoding the list probably wont be enough since the 
> string is allowed to contain !,+,- and some other things[1]. This check 
> was mostly thought to check if the proxy would still start with the 
> given chiphers, not if the given string was valid. Also I'm not sure if 
> we should be more strict than openssl[2].

Please test what happens when you pass a string including a newline. I am quite sure we do not want or need that.




^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy
@ 2022-01-05  9:27 Dietmar Maurer
  2022-01-05 13:53 ` Hannes Laimer
  0 siblings, 1 reply; 6+ messages in thread
From: Dietmar Maurer @ 2022-01-05  9:27 UTC (permalink / raw)
  To: Proxmox Backup Server development discussion, Hannes Laimer


> But this does not throw an error:
> 
> # proxmox-backup-manager node update --cipher-suites-tls2 asdasd,BBB,BBB.XZY,ECDHE-RSA-AES256-SHA
> 
> Seems ssl simply ignores all unknown ciphers. The only error is when the list contains no known cipher.

I wonder if we can hardcode the list of available values and parse it correctly? Allowed values would be:

# openssl ciphers -tls1_2
# openssl ciphers -tls1_3




^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy
@ 2022-01-05  9:09 Dietmar Maurer
  0 siblings, 0 replies; 6+ messages in thread
From: Dietmar Maurer @ 2022-01-05  9:09 UTC (permalink / raw)
  To: Proxmox Backup Server development discussion, Hannes Laimer

> I can do the following without getting an error:
> 
> # proxmox-backup-manager node update --cipher-suites-tls2 asdasd,BBB,BBB.XZY
> 
> This makes no sense to me!

Need to correct myself, I get the following error:

Error: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2566:

But this does not throw an error:

# proxmox-backup-manager node update --cipher-suites-tls2 asdasd,BBB,BBB.XZY,ECDHE-RSA-AES256-SHA

Seems ssl simply ignores all unknown ciphers. The only error is when the list contains no known cipher.




^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy
@ 2022-01-05  8:55 Dietmar Maurer
  0 siblings, 0 replies; 6+ messages in thread
From: Dietmar Maurer @ 2022-01-05  8:55 UTC (permalink / raw)
  To: Proxmox Backup Server development discussion, Hannes Laimer

I can do the following without getting an error:

# proxmox-backup-manager node update --cipher-suites-tls2 asdasd,BBB,BBB.XZY

This makes no sense to me!


> On 01/04/2022 12:48 PM Hannes Laimer <h.laimer@proxmox.com> wrote:
> 
>  
> Cannot be configured in the WebUI, only through proxmox-backup-manager,
> api or in the config file directly(not recommended). For changes to take
> effect the proxy has to be restarted.
> 
> Since the string can be rather long and I assume most of the time the
> defaults are used, it is not in the WebUI.
> 
> v2:
>   - allow setting for TLSv1.3 and TLS <= 1.2 individually
> 
> Hannes Laimer (3):
>   config: add cipher-suites to NodeConfig
>   proxy: use ssl cipher-suites from config if set
>   api2: make cipher-suites updatable
> 
>  src/api2/node/config.rs         |  8 ++++++++
>  src/bin/proxmox-backup-proxy.rs | 10 ++++++++++
>  src/config/node.rs              | 24 ++++++++++++++++++++++++
>  3 files changed, 42 insertions(+)
> 
> -- 
> 2.30.2
> 
> 
> 
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel




^ permalink raw reply	[flat|nested] 6+ messages in thread
* [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy
@ 2022-01-04 11:48 Hannes Laimer
  0 siblings, 0 replies; 6+ messages in thread
From: Hannes Laimer @ 2022-01-04 11:48 UTC (permalink / raw)
  To: pbs-devel

Cannot be configured in the WebUI, only through proxmox-backup-manager,
api or in the config file directly(not recommended). For changes to take
effect the proxy has to be restarted.

Since the string can be rather long and I assume most of the time the
defaults are used, it is not in the WebUI.

v2:
  - allow setting for TLSv1.3 and TLS <= 1.2 individually

Hannes Laimer (3):
  config: add cipher-suites to NodeConfig
  proxy: use ssl cipher-suites from config if set
  api2: make cipher-suites updatable

 src/api2/node/config.rs         |  8 ++++++++
 src/bin/proxmox-backup-proxy.rs | 10 ++++++++++
 src/config/node.rs              | 24 ++++++++++++++++++++++++
 3 files changed, 42 insertions(+)

-- 
2.30.2





^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-01-05 15:17 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-05 15:16 [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy Dietmar Maurer
  -- strict thread matches above, loose matches on Subject: below --
2022-01-05  9:27 Dietmar Maurer
2022-01-05 13:53 ` Hannes Laimer
2022-01-05  9:09 Dietmar Maurer
2022-01-05  8:55 Dietmar Maurer
2022-01-04 11:48 Hannes Laimer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal