From: Hannes Laimer <h.laimer@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH proxmox-backup v3 1/4] config: add tls ciphers to NodeConfig
Date: Sat, 8 Jan 2022 08:08:06 +0100 [thread overview]
Message-ID: <20220108070809.29315-2-h.laimer@proxmox.com> (raw)
In-Reply-To: <20220108070809.29315-1-h.laimer@proxmox.com>
for TLS 1.3 and for TLS <= 1.2
Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
---
pbs-api-types/src/lib.rs | 15 +++++++++++++++
src/config/node.rs | 26 +++++++++++++++++++++++++-
2 files changed, 40 insertions(+), 1 deletion(-)
diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs
index 0a0dd33d..b4882064 100644
--- a/pbs-api-types/src/lib.rs
+++ b/pbs-api-types/src/lib.rs
@@ -124,6 +124,10 @@ const_regex! {
pub FINGERPRINT_SHA256_REGEX = r"^(?:[0-9a-fA-F][0-9a-fA-F])(?::[0-9a-fA-F][0-9a-fA-F]){31}$";
+ pub OPENSSL_CIPHER_LIST_REGEX = r"^[A-Za-z0-9!\-+=@, :]+$";
+
+ pub TLS_CIPHERSUITE_LIST_REGEX = r"^[A-Za-z0-9_:]+$";
+
/// Regex for safe identifiers.
///
/// This
@@ -160,6 +164,9 @@ pub const BLOCKDEVICE_NAME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&B
pub const SUBSCRIPTION_KEY_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&SUBSCRIPTION_KEY_REGEX);
pub const SYSTEMD_DATETIME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&SYSTEMD_DATETIME_REGEX);
pub const HOSTNAME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&HOSTNAME_REGEX);
+pub const OPENSSL_CIPHER_LIST_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&OPENSSL_CIPHER_LIST_REGEX);
+pub const TLS_CIPHERSUITE_LIST_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&TLS_CIPHERSUITE_LIST_REGEX);
+
pub const DNS_ALIAS_FORMAT: ApiStringFormat =
ApiStringFormat::Pattern(&DNS_ALIAS_REGEX);
@@ -189,6 +196,14 @@ pub const HOSTNAME_SCHEMA: Schema = StringSchema::new("Hostname (as defined in R
.format(&HOSTNAME_FORMAT)
.schema();
+pub const OPENSSL_CIPHER_LIST_SCHEMA: Schema = StringSchema::new("OpenSSL cipher string list used by the proxy for TLS <= 1.2")
+ .format(&OPENSSL_CIPHER_LIST_FORMAT)
+ .schema();
+
+pub const TLS_CIPHERSUITE_LIST_SCHEMA: Schema = StringSchema::new("TLS ciphersuites list used by the proxy for TLSv1.3")
+ .format(&TLS_CIPHERSUITE_LIST_FORMAT)
+ .schema();
+
pub const DNS_NAME_FORMAT: ApiStringFormat =
ApiStringFormat::Pattern(&DNS_NAME_REGEX);
diff --git a/src/config/node.rs b/src/config/node.rs
index 4f2ab029..74db8fe3 100644
--- a/src/config/node.rs
+++ b/src/config/node.rs
@@ -1,5 +1,6 @@
use std::collections::HashSet;
+use openssl::ssl::{SslAcceptor, SslMethod};
use anyhow::{bail, Error};
use serde::{Deserialize, Serialize};
@@ -7,7 +8,7 @@ use proxmox_schema::{api, ApiStringFormat, ApiType, Updater};
use proxmox_http::ProxyConfig;
-use pbs_api_types::EMAIL_SCHEMA;
+use pbs_api_types::{EMAIL_SCHEMA, OPENSSL_CIPHER_LIST_SCHEMA, TLS_CIPHERSUITE_LIST_SCHEMA};
use pbs_buildcfg::configdir;
use pbs_config::{open_backup_lockfile, BackupLockGuard};
@@ -91,6 +92,14 @@ pub struct AcmeConfig {
schema: EMAIL_SCHEMA,
optional: true,
},
+ "ciphers-tls3": {
+ schema: TLS_CIPHERSUITE_LIST_SCHEMA,
+ optional: true,
+ },
+ "ciphers-tls2": {
+ schema: OPENSSL_CIPHER_LIST_SCHEMA,
+ optional: true,
+ },
},
)]
#[derive(Deserialize, Serialize, Updater)]
@@ -121,6 +130,14 @@ pub struct NodeConfig {
#[serde(skip_serializing_if = "Option::is_none")]
pub email_from: Option<String>,
+
+ /// List of SSL ciphers for tls 1.3 that will be used by the proxy. (Proxy has to be restarted for changes to take effect)
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub ciphers_tls3: Option<String>,
+
+ /// List of SSL ciphers for tls <= 1.2 that will be used by the proxy. (Proxy has to be restarted for changes to take effect)
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub ciphers_tls2: Option<String>,
}
impl NodeConfig {
@@ -172,6 +189,13 @@ impl NodeConfig {
bail!("duplicate domain '{}' in ACME config", domain.domain);
}
}
+ let mut dummy_acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls()).unwrap();
+ if let Some(ciphers) = self.ciphers_tls3.as_deref() {
+ dummy_acceptor.set_ciphersuites(ciphers)?;
+ }
+ if let Some(ciphers) = self.ciphers_tls2.as_deref() {
+ dummy_acceptor.set_cipher_list(ciphers)?;
+ }
Ok(())
}
--
2.30.2
next prev parent reply other threads:[~2022-01-08 7:08 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-08 7:08 [pbs-devel] [PATCH proxmox-backup v3 0/4] close #3612: allow config of SSL cipher-suites for proxy Hannes Laimer
2022-01-08 7:08 ` Hannes Laimer [this message]
2022-01-10 5:40 ` [pbs-devel] [PATCH proxmox-backup v3 1/4] config: add tls ciphers to NodeConfig Dietmar Maurer
2022-01-10 8:14 ` Fabian Grünbichler
2022-01-08 7:08 ` [pbs-devel] [PATCH proxmox-backup v3 2/4][optional] pbs-api-types: make regex for ciphers more strict Hannes Laimer
2022-01-08 7:08 ` [pbs-devel] [PATCH proxmox-backup v3 3/4] proxy: use ciphers from config if set Hannes Laimer
2022-01-08 7:08 ` [pbs-devel] [PATCH proxmox-backup v3 4/4] api2: make tls ciphers updatable Hannes Laimer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220108070809.29315-2-h.laimer@proxmox.com \
--to=h.laimer@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox