From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 6E1F51FF2D3 for ; Mon, 8 Jul 2024 07:49:20 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 3AD833542E; Mon, 8 Jul 2024 07:49:40 +0200 (CEST) From: Max Carrara To: pbs-devel@lists.proxmox.com Date: Mon, 8 Jul 2024 07:49:33 +0200 Message-Id: <20240708054936.14443-1-m.carrara@proxmox.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.029 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pbs-devel] [PATCH v1 proxmox 0/3] Fix #5105: Overhaul TLS Handshake Checking Logic X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" Fix #5105: Overhaul TLS Handshake Checking Logic ================================================ This series fixes bug #5105 [1] by overhauling the TLS handshake checking logic, which is performed when using a connection acceptor variant with optional TLS. In the case of PBS (the only place where this is used, to my knowledge), any requests made over plain HTTP are redirected to the same host, but clients are instructed to use HTTPS instead. The TLS handshake checking logic determines whether the client uses HTTP or HTTPS by peeking into the stream buffer -- if the first 5 received bytes look like a TLS handshake fragment, the connection is passed on to OpenSSL before being accepted. Otherwise the connection is assumed to be unencrypted, i.e. plain HTTP. However, this logic contains two errors: 1. The timeout duration is too short - one second is too little 2. When a timeout occurs, the connection is assumed to be unencrypted (and thus plain HTTP) The patches 01 and 02 are mainly done in preparation for patch 03 (which contains the actual fix), improving the overall quality of the code and including the peer's address in error logs. Please see the individual patches for more information. Special thanks go to Stefan Hanreich whose advice helped identifying many individual puzzle pieces comprising this issue. References ---------- [1]: https://bugzilla.proxmox.com/show_bug.cgi?id=5105 Summary of Changes ------------------ Max Carrara (3): rest-server: connection: clean up accept data flow rest-server: connection: log peer address on error fix #5105: rest-server: connection: overhaul TLS handshake check logic proxmox-rest-server/src/connection.rs | 165 +++++++++++++------------- 1 file changed, 85 insertions(+), 80 deletions(-) -- 2.39.2 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel