From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 0737E88262 for ; Wed, 5 Jan 2022 14:53:50 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id EFA9327FA1 for ; Wed, 5 Jan 2022 14:53:19 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 6134827F90 for ; Wed, 5 Jan 2022 14:53:18 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 3897945F06 for ; Wed, 5 Jan 2022 14:53:12 +0100 (CET) Message-ID: <1f14bae7-fa70-cc68-c641-77025b667bb6@proxmox.com> Date: Wed, 5 Jan 2022 14:53:11 +0100 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.4.1 Content-Language: en-US To: Dietmar Maurer , Proxmox Backup Server development discussion References: <1064698276.2596.1641374841394@webmail.proxmox.com> From: Hannes Laimer In-Reply-To: <1064698276.2596.1641374841394@webmail.proxmox.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.583 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment NICE_REPLY_A -1.057 Looks like a legit reply (A) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [openssl.org] Subject: Re: [pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Jan 2022 13:53:50 -0000 Am 05.01.22 um 10:27 schrieb Dietmar Maurer: > >> But this does not throw an error: >> >> # proxmox-backup-manager node update --cipher-suites-tls2 asdasd,BBB,BBB.XZY,ECDHE-RSA-AES256-SHA >> >> Seems ssl simply ignores all unknown ciphers. The only error is when the list contains no known cipher. > > I wonder if we can hardcode the list of available values and parse it correctly? Allowed values would be: > > # openssl ciphers -tls1_2 > # openssl ciphers -tls1_3 Yes, but just hardcoding the list probably wont be enough since the string is allowed to contain !,+,- and some other things[1]. This check was mostly thought to check if the proxy would still start with the given chiphers, not if the given string was valid. Also I'm not sure if we should be more strict than openssl[2]. [1] https://www.openssl.org/docs/man1.1.1/man1/ciphers.html [2] https://github.com/openssl/openssl/blob/master/doc/man3/SSL_CTX_set_cipher_list.pod#notes