* Re: [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy
@ 2022-01-05 9:27 Dietmar Maurer
2022-01-05 13:53 ` Hannes Laimer
0 siblings, 1 reply; 6+ messages in thread
From: Dietmar Maurer @ 2022-01-05 9:27 UTC (permalink / raw)
To: Proxmox Backup Server development discussion, Hannes Laimer
> But this does not throw an error:
>
> # proxmox-backup-manager node update --cipher-suites-tls2 asdasd,BBB,BBB.XZY,ECDHE-RSA-AES256-SHA
>
> Seems ssl simply ignores all unknown ciphers. The only error is when the list contains no known cipher.
I wonder if we can hardcode the list of available values and parse it correctly? Allowed values would be:
# openssl ciphers -tls1_2
# openssl ciphers -tls1_3
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy
2022-01-05 9:27 [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy Dietmar Maurer
@ 2022-01-05 13:53 ` Hannes Laimer
0 siblings, 0 replies; 6+ messages in thread
From: Hannes Laimer @ 2022-01-05 13:53 UTC (permalink / raw)
To: Dietmar Maurer, Proxmox Backup Server development discussion
Am 05.01.22 um 10:27 schrieb Dietmar Maurer:
>
>> But this does not throw an error:
>>
>> # proxmox-backup-manager node update --cipher-suites-tls2 asdasd,BBB,BBB.XZY,ECDHE-RSA-AES256-SHA
>>
>> Seems ssl simply ignores all unknown ciphers. The only error is when the list contains no known cipher.
>
> I wonder if we can hardcode the list of available values and parse it correctly? Allowed values would be:
>
> # openssl ciphers -tls1_2
> # openssl ciphers -tls1_3
Yes, but just hardcoding the list probably wont be enough since the
string is allowed to contain !,+,- and some other things[1]. This check
was mostly thought to check if the proxy would still start with the
given chiphers, not if the given string was valid. Also I'm not sure if
we should be more strict than openssl[2].
[1] https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
[2]
https://github.com/openssl/openssl/blob/master/doc/man3/SSL_CTX_set_cipher_list.pod#notes
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy
@ 2022-01-05 15:16 Dietmar Maurer
0 siblings, 0 replies; 6+ messages in thread
From: Dietmar Maurer @ 2022-01-05 15:16 UTC (permalink / raw)
To: Hannes Laimer, Proxmox Backup Server development discussion
> Yes, but just hardcoding the list probably wont be enough since the
> string is allowed to contain !,+,- and some other things[1]. This check
> was mostly thought to check if the proxy would still start with the
> given chiphers, not if the given string was valid. Also I'm not sure if
> we should be more strict than openssl[2].
Please test what happens when you pass a string including a newline. I am quite sure we do not want or need that.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy
@ 2022-01-05 9:09 Dietmar Maurer
0 siblings, 0 replies; 6+ messages in thread
From: Dietmar Maurer @ 2022-01-05 9:09 UTC (permalink / raw)
To: Proxmox Backup Server development discussion, Hannes Laimer
> I can do the following without getting an error:
>
> # proxmox-backup-manager node update --cipher-suites-tls2 asdasd,BBB,BBB.XZY
>
> This makes no sense to me!
Need to correct myself, I get the following error:
Error: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match:../ssl/ssl_lib.c:2566:
But this does not throw an error:
# proxmox-backup-manager node update --cipher-suites-tls2 asdasd,BBB,BBB.XZY,ECDHE-RSA-AES256-SHA
Seems ssl simply ignores all unknown ciphers. The only error is when the list contains no known cipher.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy
@ 2022-01-05 8:55 Dietmar Maurer
0 siblings, 0 replies; 6+ messages in thread
From: Dietmar Maurer @ 2022-01-05 8:55 UTC (permalink / raw)
To: Proxmox Backup Server development discussion, Hannes Laimer
I can do the following without getting an error:
# proxmox-backup-manager node update --cipher-suites-tls2 asdasd,BBB,BBB.XZY
This makes no sense to me!
> On 01/04/2022 12:48 PM Hannes Laimer <h.laimer@proxmox.com> wrote:
>
>
> Cannot be configured in the WebUI, only through proxmox-backup-manager,
> api or in the config file directly(not recommended). For changes to take
> effect the proxy has to be restarted.
>
> Since the string can be rather long and I assume most of the time the
> defaults are used, it is not in the WebUI.
>
> v2:
> - allow setting for TLSv1.3 and TLS <= 1.2 individually
>
> Hannes Laimer (3):
> config: add cipher-suites to NodeConfig
> proxy: use ssl cipher-suites from config if set
> api2: make cipher-suites updatable
>
> src/api2/node/config.rs | 8 ++++++++
> src/bin/proxmox-backup-proxy.rs | 10 ++++++++++
> src/config/node.rs | 24 ++++++++++++++++++++++++
> 3 files changed, 42 insertions(+)
>
> --
> 2.30.2
>
>
>
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
^ permalink raw reply [flat|nested] 6+ messages in thread
* [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy
@ 2022-01-04 11:48 Hannes Laimer
0 siblings, 0 replies; 6+ messages in thread
From: Hannes Laimer @ 2022-01-04 11:48 UTC (permalink / raw)
To: pbs-devel
Cannot be configured in the WebUI, only through proxmox-backup-manager,
api or in the config file directly(not recommended). For changes to take
effect the proxy has to be restarted.
Since the string can be rather long and I assume most of the time the
defaults are used, it is not in the WebUI.
v2:
- allow setting for TLSv1.3 and TLS <= 1.2 individually
Hannes Laimer (3):
config: add cipher-suites to NodeConfig
proxy: use ssl cipher-suites from config if set
api2: make cipher-suites updatable
src/api2/node/config.rs | 8 ++++++++
src/bin/proxmox-backup-proxy.rs | 10 ++++++++++
src/config/node.rs | 24 ++++++++++++++++++++++++
3 files changed, 42 insertions(+)
--
2.30.2
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-01-05 15:17 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-05 9:27 [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy Dietmar Maurer
2022-01-05 13:53 ` Hannes Laimer
-- strict thread matches above, loose matches on Subject: below --
2022-01-05 15:16 Dietmar Maurer
2022-01-05 9:09 Dietmar Maurer
2022-01-05 8:55 Dietmar Maurer
2022-01-04 11:48 Hannes Laimer
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox