From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Proxmox Backup Server development discussion
<pbs-devel@lists.proxmox.com>
Subject: Re: [pbs-devel] [PATCH proxmox-backup 0/3] close #3612: allow config of SSL cipher-suites for proxy
Date: Fri, 17 Dec 2021 10:50:26 +0100 [thread overview]
Message-ID: <1639734347.z3e0ir7gr7.astroid@nora.none> (raw)
In-Reply-To: <20211216163109.11109-1-h.laimer@proxmox.com>
On December 16, 2021 5:31 pm, Hannes Laimer wrote:
> Cannot be configured in the WebUI, only through proxmox-backup-manager,
> api or in the config file directly(not recommended). For changes to take
> effect the proxy has to be restarted.
>
> Since the string can be rather long and I assume most of the time the
> defaults are used, it is not in the WebUI.
there are actually two different strings (unfortunately):
cipher_list in OpenSSL parlance is for TLS <= 1.2
ciphersuites is for TLS 1.3
the format is not compatible, so we likely need to expose it as two
options (or two properties of a 'tls' option? if we also want to make
supported TLS versions configurable in the future for example that would
make sense).
PVE currently only does the former via /etc/default/pveproxy, but I'll
send patches for that soon. for PBS we should support both from the
start, and take care not to mix up the terminology (that would confuse
users that already know about this weird API split). I'd also add the
relevant TLS version info into the option description ;)
https://docs.rs/openssl/latest/openssl/ssl/struct.SslAcceptorBuilder.html#method.set_ciphersuites
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html
>
> Hannes Laimer (3):
> config: add cipher-suites to NodeConfig
> proxy: use ssl cipher-suites from config if set
> api2: make cipher-suites updatable
>
> src/api2/node/config.rs | 4 ++++
> src/bin/proxmox-backup-proxy.rs | 6 ++++++
> src/config/node.rs | 13 +++++++++++++
> 3 files changed, 23 insertions(+)
>
> --
> 2.30.2
>
>
>
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
>
>
>
prev parent reply other threads:[~2021-12-17 9:51 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-16 16:31 Hannes Laimer
2021-12-16 16:31 ` [pbs-devel] [PATCH proxmox-backup 1/3] config: add cipher-suites to NodeConfig Hannes Laimer
2021-12-16 16:31 ` [pbs-devel] [PATCH proxmox-backup 2/3] proxy: use ssl cipher-suites from config if set Hannes Laimer
2021-12-16 16:31 ` [pbs-devel] [PATCH proxmox-backup 3/3] api2: make cipher-suites updatable Hannes Laimer
2021-12-17 9:50 ` Fabian Grünbichler [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1639734347.z3e0ir7gr7.astroid@nora.none \
--to=f.gruenbichler@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox