From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 8407660E3B for ; Fri, 14 Jan 2022 11:30:40 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 72DE328939 for ; Fri, 14 Jan 2022 11:30:10 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 5B6662892E for ; Fri, 14 Jan 2022 11:30:09 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 3AA5646CA0 for ; Fri, 14 Jan 2022 11:30:09 +0100 (CET) Date: Fri, 14 Jan 2022 11:30:02 +0100 From: Fabian =?iso-8859-1?q?Gr=FCnbichler?= To: Proxmox Backup Server development discussion References: <20220111113937.26246-1-h.laimer@proxmox.com> In-Reply-To: <20220111113937.26246-1-h.laimer@proxmox.com> MIME-Version: 1.0 User-Agent: astroid/0.15.0 (https://github.com/astroidmail/astroid) Message-Id: <1642156111.cju60j9wzs.astroid@nora.none> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.223 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] applied-series: [PATCH proxmox-backup v4 0/3] close #3612: allow config of SSL cipher-suites for proxy X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 14 Jan 2022 10:30:40 -0000 with following follow-up, and renaming tls12/tls13 to tls-1.2/tls-1.3=20 (parameters/config keys) and tls_1_2/tls_1_3 (variable/field names). commit 1d552d2dd51ed7f23b492160b4c0c3a425fdfd68 Author: Fabian Gr=C3=BCnbichler AuthorDate: Thu Jan 13 10:16:15 2022 +0100 Commit: Fabian Gr=C3=BCnbichler CommitDate: Fri Jan 14 11:02:07 2022 +0100 ciphers: simplify API schema =20 these need to be checked (and are) via libssl anyway before persisting, and newer versions might contain new ciphers/variants/... (and things like @STRENGTH or @SECLEVEL=3Dn were missing). =20 Signed-off-by: Fabian Gr=C3=BCnbichler diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs index 4ef8eea1..754e7b22 100644 --- a/pbs-api-types/src/lib.rs +++ b/pbs-api-types/src/lib.rs @@ -99,20 +99,6 @@ mod local_macros { macro_rules! DNS_ALIAS_NAME { () =3D> (concat!(r"(?:(?:", DNS_ALIAS_LABEL!() , r"\.)*", DNS_ALIA= S_LABEL!(), ")")) } - macro_rules! OPENSSL_CIPHERSUITE_RE {=20 - () =3D> ( - r"TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_AES_= 128_GCM_SHA256|TLS_AES_128_CCM_8_SHA256|TLS_AES_128_CCM_SHA256" - )=20 - } - macro_rules! OPENSSL_CIPHER_STRING_RE {=20 - () =3D> (concat!( - r"([!\-+]?(COMPLEMENTOFDEFAULT|ALL|COMPLEMENTOFALL|HIGH|MEDIUM= |LOW|[ae]?NULL|[ka]?RSA|", - "kDH[rdE]?|kEDH|DHE?|EDH|ADH|kEECDH|kECDHE|ECDH|ECDHE|EECDH|AE= CDH|a?DSS|aDH|a?ECDSA|", - "SSLv3|AES(128|256)?|GCM|AESGCM|AESCCM|AESCCM8|ARIA(128|256)?|= CAMELLIA(128|256)?|", - "CHACHA20|3?DES|RC[24]|IDEA|SEED|MD5|SHA(1|256|384)?|aGOST(01)= ?|kGOST|GOST94|GOST89MAC|", - "[ak]?PSK|kECDHEPSK|kDHEPSK|kRSAPSK|SUITEB(128|128ONLY|192)?|C= BC3?|POLY1305))+" - ))=20 - } } =20 const_regex! { @@ -137,21 +123,8 @@ const_regex! { =20 pub FINGERPRINT_SHA256_REGEX =3D r"^(?:[0-9a-fA-F][0-9a-fA-F])(?::[0-9= a-fA-F][0-9a-fA-F]){31}$"; =20 - pub OPENSSL_CIPHERS_TLS_1_2_REGEX =3D concat!( - r"^((", - OPENSSL_CIPHER_STRING_RE!(), - ")([: ,](", - OPENSSL_CIPHER_STRING_RE!(), - "))*)$" - ); - =20 - pub OPENSSL_CIPHERS_TLS_1_3_REGEX =3D concat!( - r"^((", - OPENSSL_CIPHERSUITE_RE!(), - ")(:(", - OPENSSL_CIPHERSUITE_RE!(), - "))*)$" - ); + // just a rough check - dummy acceptor is used before persisting + pub OPENSSL_CIPHERS_REGEX =3D r"^[0-9A-Za-z_:, +!\-@=3D.]+$"; =20 /// Regex for safe identifiers. /// @@ -189,9 +162,7 @@ pub const BLOCKDEVICE_NAME_FORMAT: ApiStringFormat =3D = ApiStringFormat::Pattern(&B pub const SUBSCRIPTION_KEY_FORMAT: ApiStringFormat =3D ApiStringFormat::Pa= ttern(&SUBSCRIPTION_KEY_REGEX); pub const SYSTEMD_DATETIME_FORMAT: ApiStringFormat =3D ApiStringFormat::Pa= ttern(&SYSTEMD_DATETIME_REGEX); pub const HOSTNAME_FORMAT: ApiStringFormat =3D ApiStringFormat::Pattern(&H= OSTNAME_REGEX); -pub const OPENSSL_CIPHERS_TLS_1_2_FORMAT: ApiStringFormat =3D ApiStringFor= mat::Pattern(&OPENSSL_CIPHERS_TLS_1_2_REGEX); -pub const OPENSSL_CIPHERS_TLS_1_3_FORMAT: ApiStringFormat =3D ApiStringFor= mat::Pattern(&OPENSSL_CIPHERS_TLS_1_3_REGEX); - +pub const OPENSSL_CIPHERS_TLS_FORMAT: ApiStringFormat =3D ApiStringFormat:= :Pattern(&OPENSSL_CIPHERS_REGEX); =20 pub const DNS_ALIAS_FORMAT: ApiStringFormat =3D ApiStringFormat::Pattern(&DNS_ALIAS_REGEX); @@ -221,12 +192,12 @@ pub const HOSTNAME_SCHEMA: Schema =3D StringSchema::n= ew("Hostname (as defined in R .format(&HOSTNAME_FORMAT) .schema(); =20 -pub const OPENSSL_CIPHERS_TLS_1_2_SCHEMA: Schema =3D StringSchema::new("Op= enSSL cipher string list used by the proxy for TLS <=3D 1.2") - .format(&OPENSSL_CIPHERS_TLS_1_2_FORMAT) +pub const OPENSSL_CIPHERS_TLS_1_2_SCHEMA: Schema =3D StringSchema::new("Op= enSSL cipher list used by the proxy for TLS <=3D 1.2") + .format(&OPENSSL_CIPHERS_TLS_FORMAT) .schema(); =20 -pub const OPENSSL_CIPHERS_TLS_1_3_SCHEMA: Schema =3D StringSchema::new("Op= enSSL ciphersuites list used by the proxy for TLSv1.3") - .format(&OPENSSL_CIPHERS_TLS_1_3_FORMAT) +pub const OPENSSL_CIPHERS_TLS_1_3_SCHEMA: Schema =3D StringSchema::new("Op= enSSL ciphersuites list used by the proxy for TLS 1.3") + .format(&OPENSSL_CIPHERS_TLS_FORMAT) .schema(); =20 pub const DNS_NAME_FORMAT: ApiStringFormat =3D On January 11, 2022 12:39 pm, Hannes Laimer wrote: > Cannot be configured in the WebUI, only through proxmox-backup-manager, > api or in the config file directly(not recommended). For changes to take > effect the proxy has to be restarted. >=20 > Since the string can be rather long and I assume most of the time the > defaults are used, it is not in the WebUI. >=20 > v2: > - allow setting for TLSv1.3 and TLS <=3D 1.2 individually >=20 > v3: > - add proper regex >=20 > v4: > - renaming variables >=20 > Hannes Laimer (3): > config: add tls ciphers to NodeConfig > proxy: use ciphers from config if set > api2: make tls ciphers updatable >=20 > pbs-api-types/src/lib.rs | 41 +++++++++++++++++++++++++++++++++ > src/api2/node/config.rs | 8 +++++++ > src/bin/proxmox-backup-proxy.rs | 10 ++++++++ > src/config/node.rs | 26 ++++++++++++++++++++- > 4 files changed, 84 insertions(+), 1 deletion(-) >=20 > --=20 > 2.30.2 >=20 >=20 >=20 > _______________________________________________ > pbs-devel mailing list > pbs-devel@lists.proxmox.com > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel >=20 >=20 >=20