* [pbs-devel] [PATCH proxmox-backup 0/3] close #3612: allow config of SSL cipher-suites for proxy
@ 2021-12-16 16:31 Hannes Laimer
2021-12-16 16:31 ` [pbs-devel] [PATCH proxmox-backup 1/3] config: add cipher-suites to NodeConfig Hannes Laimer
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Hannes Laimer @ 2021-12-16 16:31 UTC (permalink / raw)
To: pbs-devel
Cannot be configured in the WebUI, only through proxmox-backup-manager,
api or in the config file directly(not recommended). For changes to take
effect the proxy has to be restarted.
Since the string can be rather long and I assume most of the time the
defaults are used, it is not in the WebUI.
Hannes Laimer (3):
config: add cipher-suites to NodeConfig
proxy: use ssl cipher-suites from config if set
api2: make cipher-suites updatable
src/api2/node/config.rs | 4 ++++
src/bin/proxmox-backup-proxy.rs | 6 ++++++
src/config/node.rs | 13 +++++++++++++
3 files changed, 23 insertions(+)
--
2.30.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pbs-devel] [PATCH proxmox-backup 1/3] config: add cipher-suites to NodeConfig
2021-12-16 16:31 [pbs-devel] [PATCH proxmox-backup 0/3] close #3612: allow config of SSL cipher-suites for proxy Hannes Laimer
@ 2021-12-16 16:31 ` Hannes Laimer
2021-12-16 16:31 ` [pbs-devel] [PATCH proxmox-backup 2/3] proxy: use ssl cipher-suites from config if set Hannes Laimer
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Hannes Laimer @ 2021-12-16 16:31 UTC (permalink / raw)
To: pbs-devel
Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
src/config/node.rs | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/src/config/node.rs b/src/config/node.rs
index ebbd08bd..bbffa50a 100644
--- a/src/config/node.rs
+++ b/src/config/node.rs
@@ -1,5 +1,6 @@
use std::collections::HashSet;
+use openssl::ssl::{SslAcceptor, SslMethod};
use anyhow::{bail, Error};
use serde::{Deserialize, Serialize};
@@ -86,6 +87,10 @@ pub struct AcmeConfig {
schema: HTTP_PROXY_SCHEMA,
optional: true,
},
+ "cipher-suites": {
+ optional: true,
+ type: String,
+ },
},
)]
#[derive(Deserialize, Serialize, Updater)]
@@ -113,6 +118,10 @@ pub struct NodeConfig {
#[serde(skip_serializing_if = "Option::is_none")]
pub http_proxy: Option<String>,
+
+ /// List of SSL ciphers that will be used by the proxy. (Proxy has to be restarted for changes to take effect)
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub cipher_suites: Option<String>,
}
impl NodeConfig {
@@ -164,6 +173,10 @@ impl NodeConfig {
bail!("duplicate domain '{}' in ACME config", domain.domain);
}
}
+ let mut dummy_acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls()).unwrap();
+ if let Some(cipher_suites) = self.cipher_suites.as_deref() {
+ dummy_acceptor.set_cipher_list(cipher_suites)?;
+ }
Ok(())
}
--
2.30.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pbs-devel] [PATCH proxmox-backup 2/3] proxy: use ssl cipher-suites from config if set
2021-12-16 16:31 [pbs-devel] [PATCH proxmox-backup 0/3] close #3612: allow config of SSL cipher-suites for proxy Hannes Laimer
2021-12-16 16:31 ` [pbs-devel] [PATCH proxmox-backup 1/3] config: add cipher-suites to NodeConfig Hannes Laimer
@ 2021-12-16 16:31 ` Hannes Laimer
2021-12-16 16:31 ` [pbs-devel] [PATCH proxmox-backup 3/3] api2: make cipher-suites updatable Hannes Laimer
2021-12-17 9:50 ` [pbs-devel] [PATCH proxmox-backup 0/3] close #3612: allow config of SSL cipher-suites for proxy Fabian Grünbichler
3 siblings, 0 replies; 5+ messages in thread
From: Hannes Laimer @ 2021-12-16 16:31 UTC (permalink / raw)
To: pbs-devel
Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
src/bin/proxmox-backup-proxy.rs | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/src/bin/proxmox-backup-proxy.rs b/src/bin/proxmox-backup-proxy.rs
index 07a53687..b9cabcb1 100644
--- a/src/bin/proxmox-backup-proxy.rs
+++ b/src/bin/proxmox-backup-proxy.rs
@@ -343,7 +343,13 @@ fn make_tls_acceptor() -> Result<SslAcceptor, Error> {
let key_path = configdir!("/proxy.key");
let cert_path = configdir!("/proxy.pem");
+ let (config, _) = proxmox_backup::config::node::config()?;
+ let cipher_suites = config.cipher_suites;
+
let mut acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls()).unwrap();
+ if let Some(cipher_suites) = cipher_suites.as_deref() {
+ acceptor.set_cipher_list(cipher_suites)?;
+ }
acceptor.set_private_key_file(key_path, SslFiletype::PEM)
.map_err(|err| format_err!("unable to read proxy key {} - {}", key_path, err))?;
acceptor.set_certificate_chain_file(cert_path)
--
2.30.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* [pbs-devel] [PATCH proxmox-backup 3/3] api2: make cipher-suites updatable
2021-12-16 16:31 [pbs-devel] [PATCH proxmox-backup 0/3] close #3612: allow config of SSL cipher-suites for proxy Hannes Laimer
2021-12-16 16:31 ` [pbs-devel] [PATCH proxmox-backup 1/3] config: add cipher-suites to NodeConfig Hannes Laimer
2021-12-16 16:31 ` [pbs-devel] [PATCH proxmox-backup 2/3] proxy: use ssl cipher-suites from config if set Hannes Laimer
@ 2021-12-16 16:31 ` Hannes Laimer
2021-12-17 9:50 ` [pbs-devel] [PATCH proxmox-backup 0/3] close #3612: allow config of SSL cipher-suites for proxy Fabian Grünbichler
3 siblings, 0 replies; 5+ messages in thread
From: Hannes Laimer @ 2021-12-16 16:31 UTC (permalink / raw)
To: pbs-devel
Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
src/api2/node/config.rs | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/src/api2/node/config.rs b/src/api2/node/config.rs
index 0b45f34c..c6bdd3df 100644
--- a/src/api2/node/config.rs
+++ b/src/api2/node/config.rs
@@ -54,6 +54,8 @@ pub enum DeletableProperty {
acmedomain4,
/// Delete the http-proxy property.
http_proxy,
+ /// Delete the cipher-suites property.
+ cipher_suites,
}
#[api(
@@ -110,6 +112,7 @@ pub fn update_node_config(
DeletableProperty::acmedomain3 => { config.acmedomain3 = None; },
DeletableProperty::acmedomain4 => { config.acmedomain4 = None; },
DeletableProperty::http_proxy => { config.http_proxy = None; },
+ DeletableProperty::cipher_suites => { config.cipher_suites = None; },
}
}
}
@@ -121,6 +124,7 @@ pub fn update_node_config(
if update.acmedomain3.is_some() { config.acmedomain3 = update.acmedomain3; }
if update.acmedomain4.is_some() { config.acmedomain4 = update.acmedomain4; }
if update.http_proxy.is_some() { config.http_proxy = update.http_proxy; }
+ if update.cipher_suites.is_some() { config.cipher_suites = update.cipher_suites; }
crate::config::node::save_config(&config)?;
--
2.30.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [pbs-devel] [PATCH proxmox-backup 0/3] close #3612: allow config of SSL cipher-suites for proxy
2021-12-16 16:31 [pbs-devel] [PATCH proxmox-backup 0/3] close #3612: allow config of SSL cipher-suites for proxy Hannes Laimer
` (2 preceding siblings ...)
2021-12-16 16:31 ` [pbs-devel] [PATCH proxmox-backup 3/3] api2: make cipher-suites updatable Hannes Laimer
@ 2021-12-17 9:50 ` Fabian Grünbichler
3 siblings, 0 replies; 5+ messages in thread
From: Fabian Grünbichler @ 2021-12-17 9:50 UTC (permalink / raw)
To: Proxmox Backup Server development discussion
On December 16, 2021 5:31 pm, Hannes Laimer wrote:
> Cannot be configured in the WebUI, only through proxmox-backup-manager,
> api or in the config file directly(not recommended). For changes to take
> effect the proxy has to be restarted.
>
> Since the string can be rather long and I assume most of the time the
> defaults are used, it is not in the WebUI.
there are actually two different strings (unfortunately):
cipher_list in OpenSSL parlance is for TLS <= 1.2
ciphersuites is for TLS 1.3
the format is not compatible, so we likely need to expose it as two
options (or two properties of a 'tls' option? if we also want to make
supported TLS versions configurable in the future for example that would
make sense).
PVE currently only does the former via /etc/default/pveproxy, but I'll
send patches for that soon. for PBS we should support both from the
start, and take care not to mix up the terminology (that would confuse
users that already know about this weird API split). I'd also add the
relevant TLS version info into the option description ;)
https://docs.rs/openssl/latest/openssl/ssl/struct.SslAcceptorBuilder.html#method.set_ciphersuites
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html
>
> Hannes Laimer (3):
> config: add cipher-suites to NodeConfig
> proxy: use ssl cipher-suites from config if set
> api2: make cipher-suites updatable
>
> src/api2/node/config.rs | 4 ++++
> src/bin/proxmox-backup-proxy.rs | 6 ++++++
> src/config/node.rs | 13 +++++++++++++
> 3 files changed, 23 insertions(+)
>
> --
> 2.30.2
>
>
>
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
>
>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-12-17 9:51 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-16 16:31 [pbs-devel] [PATCH proxmox-backup 0/3] close #3612: allow config of SSL cipher-suites for proxy Hannes Laimer
2021-12-16 16:31 ` [pbs-devel] [PATCH proxmox-backup 1/3] config: add cipher-suites to NodeConfig Hannes Laimer
2021-12-16 16:31 ` [pbs-devel] [PATCH proxmox-backup 2/3] proxy: use ssl cipher-suites from config if set Hannes Laimer
2021-12-16 16:31 ` [pbs-devel] [PATCH proxmox-backup 3/3] api2: make cipher-suites updatable Hannes Laimer
2021-12-17 9:50 ` [pbs-devel] [PATCH proxmox-backup 0/3] close #3612: allow config of SSL cipher-suites for proxy Fabian Grünbichler
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox