From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 6B8A360A2D for ; Tue, 11 Jan 2022 12:39:53 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 69BEB1DB4E for ; Tue, 11 Jan 2022 12:39:53 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 49EA91DB42 for ; Tue, 11 Jan 2022 12:39:52 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 22F6B46C48 for ; Tue, 11 Jan 2022 12:39:52 +0100 (CET) From: Hannes Laimer To: pbs-devel@lists.proxmox.com Date: Tue, 11 Jan 2022 12:39:35 +0100 Message-Id: <20220111113937.26246-2-h.laimer@proxmox.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20220111113937.26246-1-h.laimer@proxmox.com> References: <20220111113937.26246-1-h.laimer@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.046 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [node.rs, lib.rs] Subject: [pbs-devel] [PATCH proxmox-backup v4 1/3] config: add tls ciphers to NodeConfig X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Jan 2022 11:39:53 -0000 for TLS 1.3 and for TLS <= 1.2 Signed-off-by: Hannes Laimer --- pbs-api-types/src/lib.rs | 41 ++++++++++++++++++++++++++++++++++++++++ src/config/node.rs | 26 ++++++++++++++++++++++++- 2 files changed, 66 insertions(+), 1 deletion(-) diff --git a/pbs-api-types/src/lib.rs b/pbs-api-types/src/lib.rs index 0a0dd33d..4673fc3b 100644 --- a/pbs-api-types/src/lib.rs +++ b/pbs-api-types/src/lib.rs @@ -100,6 +100,20 @@ mod local_macros { macro_rules! DNS_ALIAS_NAME { () => (concat!(r"(?:(?:", DNS_ALIAS_LABEL!() , r"\.)*", DNS_ALIAS_LABEL!(), ")")) } + macro_rules! OPENSSL_CIPHERSUITE_RE { + () => ( + r"TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_AES_128_GCM_SHA256|TLS_AES_128_CCM_8_SHA256|TLS_AES_128_CCM_SHA256" + ) + } + macro_rules! OPENSSL_CIPHER_STRING_RE { + () => (concat!( + r"([!\-+]?(COMPLEMENTOFDEFAULT|ALL|COMPLEMENTOFALL|HIGH|MEDIUM|LOW|[ae]?NULL|[ka]?RSA|", + "kDH[rdE]?|kEDH|DHE?|EDH|ADH|kEECDH|kECDHE|ECDH|ECDHE|EECDH|AECDH|a?DSS|aDH|a?ECDSA|", + "SSLv3|AES(128|256)?|GCM|AESGCM|AESCCM|AESCCM8|ARIA(128|256)?|CAMELLIA(128|256)?|", + "CHACHA20|3?DES|RC[24]|IDEA|SEED|MD5|SHA(1|256|384)?|aGOST(01)?|kGOST|GOST94|GOST89MAC|", + "[ak]?PSK|kECDHEPSK|kDHEPSK|kRSAPSK|SUITEB(128|128ONLY|192)?|CBC3?|POLY1305))+" + )) + } } const_regex! { @@ -124,6 +138,22 @@ const_regex! { pub FINGERPRINT_SHA256_REGEX = r"^(?:[0-9a-fA-F][0-9a-fA-F])(?::[0-9a-fA-F][0-9a-fA-F]){31}$"; + pub OPENSSL_CIPHERS_TLS_1_2_REGEX = concat!( + r"^((", + OPENSSL_CIPHER_STRING_RE!(), + ")([: ,](", + OPENSSL_CIPHER_STRING_RE!(), + "))*)$" + ); + + pub OPENSSL_CIPHERS_TLS_1_3_REGEX = concat!( + r"^((", + OPENSSL_CIPHERSUITE_RE!(), + ")(:(", + OPENSSL_CIPHERSUITE_RE!(), + "))*)$" + ); + /// Regex for safe identifiers. /// /// This @@ -160,6 +190,9 @@ pub const BLOCKDEVICE_NAME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&B pub const SUBSCRIPTION_KEY_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&SUBSCRIPTION_KEY_REGEX); pub const SYSTEMD_DATETIME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&SYSTEMD_DATETIME_REGEX); pub const HOSTNAME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&HOSTNAME_REGEX); +pub const OPENSSL_CIPHERS_TLS_1_2_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&OPENSSL_CIPHERS_TLS_1_2_REGEX); +pub const OPENSSL_CIPHERS_TLS_1_3_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&OPENSSL_CIPHERS_TLS_1_3_REGEX); + pub const DNS_ALIAS_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&DNS_ALIAS_REGEX); @@ -189,6 +222,14 @@ pub const HOSTNAME_SCHEMA: Schema = StringSchema::new("Hostname (as defined in R .format(&HOSTNAME_FORMAT) .schema(); +pub const OPENSSL_CIPHERS_TLS_1_2_SCHEMA: Schema = StringSchema::new("OpenSSL cipher string list used by the proxy for TLS <= 1.2") + .format(&OPENSSL_CIPHERS_TLS_1_2_FORMAT) + .schema(); + +pub const OPENSSL_CIPHERS_TLS_1_3_SCHEMA: Schema = StringSchema::new("OpenSSL ciphersuites list used by the proxy for TLSv1.3") + .format(&OPENSSL_CIPHERS_TLS_1_3_FORMAT) + .schema(); + pub const DNS_NAME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&DNS_NAME_REGEX); diff --git a/src/config/node.rs b/src/config/node.rs index 4f2ab029..3f7adb1a 100644 --- a/src/config/node.rs +++ b/src/config/node.rs @@ -1,5 +1,6 @@ use std::collections::HashSet; +use openssl::ssl::{SslAcceptor, SslMethod}; use anyhow::{bail, Error}; use serde::{Deserialize, Serialize}; @@ -7,7 +8,7 @@ use proxmox_schema::{api, ApiStringFormat, ApiType, Updater}; use proxmox_http::ProxyConfig; -use pbs_api_types::EMAIL_SCHEMA; +use pbs_api_types::{EMAIL_SCHEMA, OPENSSL_CIPHERS_TLS_1_2_SCHEMA, OPENSSL_CIPHERS_TLS_1_3_SCHEMA}; use pbs_buildcfg::configdir; use pbs_config::{open_backup_lockfile, BackupLockGuard}; @@ -91,6 +92,14 @@ pub struct AcmeConfig { schema: EMAIL_SCHEMA, optional: true, }, + "ciphers-tls13": { + schema: OPENSSL_CIPHERS_TLS_1_3_SCHEMA, + optional: true, + }, + "ciphers-tls12": { + schema: OPENSSL_CIPHERS_TLS_1_2_SCHEMA, + optional: true, + }, }, )] #[derive(Deserialize, Serialize, Updater)] @@ -121,6 +130,14 @@ pub struct NodeConfig { #[serde(skip_serializing_if = "Option::is_none")] pub email_from: Option, + + /// List of SSL ciphers for tls 1.3 that will be used by the proxy. (Proxy has to be restarted for changes to take effect) + #[serde(skip_serializing_if = "Option::is_none")] + pub ciphers_tls13: Option, + + /// List of SSL ciphers for tls <= 1.2 that will be used by the proxy. (Proxy has to be restarted for changes to take effect) + #[serde(skip_serializing_if = "Option::is_none")] + pub ciphers_tls12: Option, } impl NodeConfig { @@ -172,6 +189,13 @@ impl NodeConfig { bail!("duplicate domain '{}' in ACME config", domain.domain); } } + let mut dummy_acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls()).unwrap(); + if let Some(ciphers) = self.ciphers_tls13.as_deref() { + dummy_acceptor.set_ciphersuites(ciphers)?; + } + if let Some(ciphers) = self.ciphers_tls12.as_deref() { + dummy_acceptor.set_cipher_list(ciphers)?; + } Ok(()) } -- 2.30.2