From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <f.gruenbichler@proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by lists.proxmox.com (Postfix) with ESMTPS id 3DD2A88B44
 for <pbs-devel@lists.proxmox.com>; Mon, 10 Jan 2022 09:14:47 +0100 (CET)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
 by firstgate.proxmox.com (Proxmox) with ESMTP id 2C6CDAE34
 for <pbs-devel@lists.proxmox.com>; Mon, 10 Jan 2022 09:14:47 +0100 (CET)
Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com
 [94.136.29.106])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits))
 (No client certificate requested)
 by firstgate.proxmox.com (Proxmox) with ESMTPS id 58441AE29
 for <pbs-devel@lists.proxmox.com>; Mon, 10 Jan 2022 09:14:46 +0100 (CET)
Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1])
 by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 10FE64579E
 for <pbs-devel@lists.proxmox.com>; Mon, 10 Jan 2022 09:14:46 +0100 (CET)
Date: Mon, 10 Jan 2022 09:14:11 +0100
From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= <f.gruenbichler@proxmox.com>
To: Hannes Laimer <h.laimer@proxmox.com>,
 Proxmox Backup Server development discussion <pbs-devel@lists.proxmox.com>
References: <20220108070809.29315-1-h.laimer@proxmox.com>
 <20220108070809.29315-2-h.laimer@proxmox.com>
 <fc251d0b-678a-74b1-4241-56ce4bd7ef98@proxmox.com>
In-Reply-To: <fc251d0b-678a-74b1-4241-56ce4bd7ef98@proxmox.com>
MIME-Version: 1.0
User-Agent: astroid/0.15.0 (https://github.com/astroidmail/astroid)
Message-Id: <1641801939.d19j9733ku.astroid@nora.none>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.223 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: Re: [pbs-devel] [PATCH proxmox-backup v3 1/4] config: add tls
 ciphers to NodeConfig
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
X-List-Received-Date: Mon, 10 Jan 2022 08:14:47 -0000

On January 10, 2022 6:40 am, Dietmar Maurer wrote:
> Why do you use a different naming scheme here?
>=20
> OPENSSL_CIPHER_LIST_REGEX vs. TLS_CIPHERSUITE_LIST_REGEX
>=20
> What about the following:
>=20
> TLS1_2_CIPHERSUITE_LIST_REGEX TLS1_3_CIPHERSUITE_LIST_REGEX
>=20
> And why do the have different syntax at all??
>=20
> Also, AFAIK there is no TLS version 2 or version 3 (its 1.2 and 1.3). So=20
> "ciphers-tls2" and "ciphers-tls3" are a bit misleading.
>=20
> Apache only has a single config called "SSLCipherSuite". Why do we need=20
> two different configs?

we could do it like Apache[0] and have an optional prefix before the=20
cipher spec indicating whether its for <=3D TLS 1.2 or for TLS 1.3, and=20
allow specifying it multiple times - but that is not really less=20
confusing than two parameters?

the contents are incompatible, openssl has different methods for setting=20
them (with different semantics!), so having two parameters doesn't seem=20
too bad..

I'll follow whatever the result of this discussion here is for my perl=20
(PVE/PMG) series in any case ;)

> nginx also use a single config "ssl_ciphers"

but doesn't support TLS 1.3 cipher suites AFAICT (requiring a workaround=20
of injecting them via a 'set arbitrary openssl.cnf parameters' nginx=20
config parameter![1]).

0: https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#sslciphersuite
1: https://trac.nginx.org/nginx/ticket/1529

> On 1/8/22 08:08, Hannes Laimer wrote:
>> diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs
>> index 0a0dd33d..b4882064 100644
>> --- a/pbs-api-types/src/lib.rs
>> +++ b/pbs-api-types/src/lib.rs
>> @@ -124,6 +124,10 @@ const_regex! {
>>  =20
>>       pub FINGERPRINT_SHA256_REGEX =3D r"^(?:[0-9a-fA-F][0-9a-fA-F])(?::=
[0-9a-fA-F][0-9a-fA-F]){31}$";
>>  =20
>> +    pub OPENSSL_CIPHER_LIST_REGEX =3D r"^[A-Za-z0-9!\-+=3D@, :]+$";
>> +
>> +    pub TLS_CIPHERSUITE_LIST_REGEX =3D r"^[A-Za-z0-9_:]+$";
>> +
>=20
>=20
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
>=20
>=20
>=20