[pbs-devel] applied-series: [PATCH proxmox-backup v4 0/3] close #3612: allow config of SSL cipher-suites for proxy

From: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
To: Proxmox Backup Server development discussion
	<pbs-devel@lists.proxmox.com>
Subject: [pbs-devel] applied-series: [PATCH proxmox-backup v4 0/3] close #3612: allow config of SSL cipher-suites for proxy
Date: Fri, 14 Jan 2022 11:30:02 +0100	[thread overview]
Message-ID: <1642156111.cju60j9wzs.astroid@nora.none> (raw)
In-Reply-To: <20220111113937.26246-1-h.laimer@proxmox.com>

with following follow-up, and renaming tls12/tls13 to tls-1.2/tls-1.3 
(parameters/config keys) and tls_1_2/tls_1_3 (variable/field names).

commit 1d552d2dd51ed7f23b492160b4c0c3a425fdfd68
Author:     Fabian Grünbichler <f.gruenbichler@proxmox.com>
AuthorDate: Thu Jan 13 10:16:15 2022 +0100
Commit:     Fabian Grünbichler <f.gruenbichler@proxmox.com>
CommitDate: Fri Jan 14 11:02:07 2022 +0100

    ciphers: simplify API schema
    
    these need to be checked (and are) via libssl anyway before persisting,
    and newer versions might contain new ciphers/variants/... (and things
    like @STRENGTH or @SECLEVEL=n were missing).
    
    Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>

diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs
index 4ef8eea1..754e7b22 100644
--- a/pbs-api-types/src/lib.rs
+++ b/pbs-api-types/src/lib.rs
@@ -99,20 +99,6 @@ mod local_macros {
     macro_rules! DNS_ALIAS_NAME {
         () => (concat!(r"(?:(?:", DNS_ALIAS_LABEL!() , r"\.)*", DNS_ALIAS_LABEL!(), ")"))
     }
-    macro_rules! OPENSSL_CIPHERSUITE_RE { 
-        () => (
-            r"TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_AES_128_GCM_SHA256|TLS_AES_128_CCM_8_SHA256|TLS_AES_128_CCM_SHA256"
-        ) 
-    }
-    macro_rules! OPENSSL_CIPHER_STRING_RE { 
-        () => (concat!(
-            r"([!\-+]?(COMPLEMENTOFDEFAULT|ALL|COMPLEMENTOFALL|HIGH|MEDIUM|LOW|[ae]?NULL|[ka]?RSA|",
-            "kDH[rdE]?|kEDH|DHE?|EDH|ADH|kEECDH|kECDHE|ECDH|ECDHE|EECDH|AECDH|a?DSS|aDH|a?ECDSA|",
-            "SSLv3|AES(128|256)?|GCM|AESGCM|AESCCM|AESCCM8|ARIA(128|256)?|CAMELLIA(128|256)?|",
-            "CHACHA20|3?DES|RC[24]|IDEA|SEED|MD5|SHA(1|256|384)?|aGOST(01)?|kGOST|GOST94|GOST89MAC|",
-            "[ak]?PSK|kECDHEPSK|kDHEPSK|kRSAPSK|SUITEB(128|128ONLY|192)?|CBC3?|POLY1305))+"
-        )) 
-    }
 }
 
 const_regex! {
@@ -137,21 +123,8 @@ const_regex! {
 
     pub FINGERPRINT_SHA256_REGEX = r"^(?:[0-9a-fA-F][0-9a-fA-F])(?::[0-9a-fA-F][0-9a-fA-F]){31}$";
 
-    pub OPENSSL_CIPHERS_TLS_1_2_REGEX = concat!(
-        r"^((",
-        OPENSSL_CIPHER_STRING_RE!(),
-        ")([: ,](",
-        OPENSSL_CIPHER_STRING_RE!(),
-        "))*)$"
-    );
-    
-    pub OPENSSL_CIPHERS_TLS_1_3_REGEX = concat!(
-        r"^((",
-        OPENSSL_CIPHERSUITE_RE!(),
-        ")(:(",
-        OPENSSL_CIPHERSUITE_RE!(),
-        "))*)$"
-    );
+    // just a rough check - dummy acceptor is used before persisting
+    pub OPENSSL_CIPHERS_REGEX = r"^[0-9A-Za-z_:, +!\-@=.]+$";
 
     /// Regex for safe identifiers.
     ///
@@ -189,9 +162,7 @@ pub const BLOCKDEVICE_NAME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&B
 pub const SUBSCRIPTION_KEY_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&SUBSCRIPTION_KEY_REGEX);
 pub const SYSTEMD_DATETIME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&SYSTEMD_DATETIME_REGEX);
 pub const HOSTNAME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&HOSTNAME_REGEX);
-pub const OPENSSL_CIPHERS_TLS_1_2_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&OPENSSL_CIPHERS_TLS_1_2_REGEX);
-pub const OPENSSL_CIPHERS_TLS_1_3_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&OPENSSL_CIPHERS_TLS_1_3_REGEX);
-
+pub const OPENSSL_CIPHERS_TLS_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&OPENSSL_CIPHERS_REGEX);
 
 pub const DNS_ALIAS_FORMAT: ApiStringFormat =
     ApiStringFormat::Pattern(&DNS_ALIAS_REGEX);
@@ -221,12 +192,12 @@ pub const HOSTNAME_SCHEMA: Schema = StringSchema::new("Hostname (as defined in R
     .format(&HOSTNAME_FORMAT)
     .schema();
 
-pub const OPENSSL_CIPHERS_TLS_1_2_SCHEMA: Schema = StringSchema::new("OpenSSL cipher string list used by the proxy for TLS <= 1.2")
-    .format(&OPENSSL_CIPHERS_TLS_1_2_FORMAT)
+pub const OPENSSL_CIPHERS_TLS_1_2_SCHEMA: Schema = StringSchema::new("OpenSSL cipher list used by the proxy for TLS <= 1.2")
+    .format(&OPENSSL_CIPHERS_TLS_FORMAT)
     .schema();
 
-pub const OPENSSL_CIPHERS_TLS_1_3_SCHEMA: Schema = StringSchema::new("OpenSSL ciphersuites list used by the proxy for TLSv1.3")
-    .format(&OPENSSL_CIPHERS_TLS_1_3_FORMAT)
+pub const OPENSSL_CIPHERS_TLS_1_3_SCHEMA: Schema = StringSchema::new("OpenSSL ciphersuites list used by the proxy for TLS 1.3")
+    .format(&OPENSSL_CIPHERS_TLS_FORMAT)
     .schema();
 
 pub const DNS_NAME_FORMAT: ApiStringFormat =

On January 11, 2022 12:39 pm, Hannes Laimer wrote:
> Cannot be configured in the WebUI, only through proxmox-backup-manager,
> api or in the config file directly(not recommended). For changes to take
> effect the proxy has to be restarted.
> 
> Since the string can be rather long and I assume most of the time the
> defaults are used, it is not in the WebUI.
> 
> v2:
>   - allow setting for TLSv1.3 and TLS <= 1.2 individually
> 
> v3:
>   - add proper regex
> 
> v4:
>   - renaming variables
> 
> Hannes Laimer (3):
>   config: add tls ciphers to NodeConfig
>   proxy: use ciphers from config if set
>   api2: make tls ciphers updatable
> 
>  pbs-api-types/src/lib.rs        | 41 +++++++++++++++++++++++++++++++++
>  src/api2/node/config.rs         |  8 +++++++
>  src/bin/proxmox-backup-proxy.rs | 10 ++++++++
>  src/config/node.rs              | 26 ++++++++++++++++++++-
>  4 files changed, 84 insertions(+), 1 deletion(-)
> 
> -- 
> 2.30.2
> 
> 
> 
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
> 
> 
> 



