From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 0CB421FF163 for ; Thu, 29 Aug 2024 15:07:31 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 0A85E1C5FB; Thu, 29 Aug 2024 15:07:59 +0200 (CEST) From: Gabriel Goller To: pbs-devel@lists.proxmox.com Date: Thu, 29 Aug 2024 15:07:22 +0200 Message-Id: <20240829130722.300260-1-g.goller@proxmox.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.041 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pbs-devel] [PATCH v3] rest-server: check permissions on proxy.key and proxy.pem files X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" To avoid openssl's unhelpful error messages when the proxy.key or proxy.pem files have the wrong permissions, we open the files. To load the private key, we can simply read from the file and pass it to the `set_private_key` openssl function. Sadly such a function does not exist for loading certificate chains, so we have to open and close the file before calling the `set_certificate_chain_file` fn. Motivation: https://forum.proxmox.com/threads/proxmox-backup-tailscale-proxmox-backup-proxy-service-wont-boot.153204 Signed-off-by: Gabriel Goller --- v3, thanks @Wolfgang: - switch `context` with `with_context` - use std::fs::read directly without the utf-8 checks v2, thanks @Wolfgang: - move check from proxmox-backup-server to proxmox-rest-server - check permissions by opening files proxmox-rest-server/src/connection.rs | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/proxmox-rest-server/src/connection.rs b/proxmox-rest-server/src/connection.rs index fbdfe96cdfdb..105024f4ce7e 100644 --- a/proxmox-rest-server/src/connection.rs +++ b/proxmox-rest-server/src/connection.rs @@ -12,13 +12,13 @@ use std::pin::{pin, Pin}; use std::sync::{Arc, Mutex}; use std::time::Duration; -use anyhow::{format_err, Context as _, Error}; +use anyhow::{format_err, Context, Error}; use futures::FutureExt; use hyper::server::accept; use openssl::ec::{EcGroup, EcKey}; use openssl::nid::Nid; use openssl::pkey::{PKey, Private}; -use openssl::ssl::{SslAcceptor, SslFiletype, SslMethod}; +use openssl::ssl::{SslAcceptor, SslMethod}; use openssl::x509::X509; use tokio::net::{TcpListener, TcpStream}; use tokio::sync::mpsc; @@ -88,9 +88,17 @@ impl TlsAcceptorBuilder { .context("failed to set tls acceptor certificate")?; } Some(Tls::FilesPem(key, cert)) => { + let key_content = std::fs::read(&key) + .with_context(|| format!("Failed to read from private key file {:?}", key))?; acceptor - .set_private_key_file(key, SslFiletype::PEM) + .set_private_key(PKey::private_key_from_pem(&key_content)?.as_ref()) .context("failed to set tls acceptor private key file")?; + + { + // Check the permissions by opening the file + let _cert_fd = std::fs::File::open(&cert) + .with_context(|| format!("Failed to open certificate at {:?}", cert))?; + } acceptor .set_certificate_chain_file(cert) .context("failed to set tls acceptor certificate chain file")?; -- 2.39.2 _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel