From: Maximiliano Sandoval <m.sandoval@proxmox.com>
To: pbs-devel@lists.proxmox.com
Subject: [pbs-devel] [PATCH backup] http_client: remember accepted fingerprints
Date: Mon, 14 Apr 2025 14:59:34 +0200 [thread overview]
Message-ID: <20250414125934.476413-1-m.sandoval@proxmox.com> (raw)
Calling the proxmox-backup-client against a server with self-signed
certificates without having specified a fingerprint will result in
potentially multiple prompts to accept the fingerprint:
```
connected to 10.10.10.136:8007
fingerprint: b9:eb:33:0b:88:e8:e4:1a:c8:d1:f9:5a:08:84:04:9a:92:17:3f:5e:06:ae:e1:6b:91:36:24:38:0f:71:e1:5c
Are you sure you want to continue connecting? (y/n): y
fingerprint: b9:eb:33:0b:88:e8:e4:1a:c8:d1:f9:5a:08:84:04:9a:92:17:3f:5e:06:ae:e1:6b:91:36:24:38:0f:71:e1:5c
Are you sure you want to continue connecting? (y/n): y
```
We avoid this by setting the expected fingerprint to the fingerprint
returned by verify_callback.
Signed-off-by: Maximiliano Sandoval <m.sandoval@proxmox.com>
---
pbs-client/src/http_client.rs | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/pbs-client/src/http_client.rs b/pbs-client/src/http_client.rs
index c95def07b..05cf8c530 100644
--- a/pbs-client/src/http_client.rs
+++ b/pbs-client/src/http_client.rs
@@ -404,12 +404,13 @@ impl HttpClient {
let fingerprint_cache = options.fingerprint_cache;
let prefix = options.prefix.clone();
let trust_openssl_valid = Arc::new(Mutex::new(true));
+ let expected_fingerprint = Arc::new(Mutex::new(expected_fingerprint));
ssl_connector_builder.set_verify_callback(
openssl::ssl::SslVerifyMode::PEER,
move |valid, ctx| match Self::verify_callback(
valid,
ctx,
- expected_fingerprint.as_ref(),
+ Arc::clone(&expected_fingerprint),
interactive,
Arc::clone(&trust_openssl_valid),
) {
@@ -422,6 +423,7 @@ impl HttpClient {
error!("{}", err);
}
}
+ *expected_fingerprint.lock().unwrap() = Some(fingerprint.clone());
*verified_fingerprint.lock().unwrap() = Some(fingerprint);
true
}
@@ -634,7 +636,7 @@ impl HttpClient {
fn verify_callback(
openssl_valid: bool,
ctx: &mut X509StoreContextRef,
- expected_fingerprint: Option<&String>,
+ expected_fingerprint: Arc<Mutex<Option<String>>>,
interactive: bool,
trust_openssl: Arc<Mutex<bool>>,
) -> Result<Option<String>, Error> {
@@ -669,7 +671,7 @@ impl HttpClient {
.collect::<Vec<&str>>()
.join(":");
- if let Some(expected_fingerprint) = expected_fingerprint {
+ if let Some(expected_fingerprint) = expected_fingerprint.lock().unwrap().as_ref() {
let expected_fingerprint = expected_fingerprint.to_lowercase();
if expected_fingerprint == fp_string {
return Ok(Some(fp_string));
--
2.39.5
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
reply other threads:[~2025-04-14 13:00 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250414125934.476413-1-m.sandoval@proxmox.com \
--to=m.sandoval@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal