From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
by lore.proxmox.com (Postfix) with ESMTPS id 75C281FF187
for <inbox@lore.proxmox.com>; Wed, 21 May 2025 10:45:57 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
by firstgate.proxmox.com (Proxmox) with ESMTP id 9317712BA7;
Wed, 21 May 2025 10:45:58 +0200 (CEST)
From: Dominik Csapak <d.csapak@proxmox.com>
To: pbs-devel@lists.proxmox.com
Date: Wed, 21 May 2025 10:45:19 +0200
Message-Id: <20250521084524.829496-1-d.csapak@proxmox.com>
X-Mailer: git-send-email 2.39.5
MIME-Version: 1.0
X-SPAM-LEVEL: Spam detection results: 0
AWL 0.021 Adjusted score from AWL reputation of From: address
BAYES_00 -1.9 Bayes spam probability is 0 to 1%
DMARC_MISSING 0.1 Missing DMARC policy
KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
information.
RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
information.
RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to
Validity was blocked. See
https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more
information.
SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record
SPF_PASS -0.001 SPF: sender matches SPF record
URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more
information. [lib.rs, tls.rs]
Subject: [pbs-devel] [PATCH proxmox{, -websocket-tunnel,
-backup} 0/5] unify openssl callback logic
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
<pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>,
<mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>,
<mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox Backup Server development discussion
<pbs-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pbs-devel-bounces@lists.proxmox.com
Sender: "pbs-devel" <pbs-devel-bounces@lists.proxmox.com>
There are currently 3 slightly different implementations of the openssl
verify callback in place. They differ in how an explicit fingerprint
would be checked:
* pbs-client: if verification was on, a valid certificate would trump a
wrong epxlicit fingerprint
* proxmox-websocket-tunnel: if an explicit fingerprint was given, it was
checked, regardless of the openssl result
* proxmox-client: the openssl validity had priority as in pbs-client,
but the fingerprint was not checked against the leaf certificate, but
agains all certificates in the chain (which would lead to false
negatives). Note that this is currently only used in PDM
This series aims to unify the general behavior, but design the interface
to be flexible enought to accomodate the different call sites needs.
I included the change of features for crates, but they have to be bumped
before hand of course and the version must be changed in Cargo.toml.
(if I should send that differently, please do tell how it should be done)
Since that is technically a breaking change for PBS, we should only
change that for the next major release.
Also, since it rather deep in the stack for PBS (remotes sync, etc.) and
PVE (remote migration) IMHO this is a series that should be tested very
well.
Further work could be to unify this behavior for our perl clients too,
but it seemed out of scope for this series. (notably the PVE::APIClient
and the client used in the SDN code)
I tried to implement some tests, but due to the openssl interface this
seems to be not really possible, except if we'd start a server + client
in the tests (which seems overkill). But if anyone has an idea how we
could test this code (and i mean not only it's interface, but the
openssl connection behavior), I'd be glad.
I sent the patch to the pbs-devel list, but actually it affects PBS, PVE
and PDM.
patch 1/2 of the websocket-tunnel, is not really related, but was
necessary to build.
proxmox:
Dominik Csapak (2):
http: factor out openssl verification callback
client: use proxmox-http's openssl verification callback
Cargo.toml | 1 +
proxmox-client/Cargo.toml | 2 +-
proxmox-client/src/client.rs | 48 ++++---------------
proxmox-http/Cargo.toml | 7 +++
proxmox-http/src/lib.rs | 5 ++
proxmox-http/src/tls.rs | 89 ++++++++++++++++++++++++++++++++++++
proxmox-openid/Cargo.toml | 2 +-
7 files changed, 112 insertions(+), 42 deletions(-)
create mode 100644 proxmox-http/src/tls.rs
proxmox-websocket-tunnel:
Dominik Csapak (2):
update base64 dependency
use proxmox-http's openssl callback
Cargo.toml | 5 ++--
src/main.rs | 66 ++++++++++++++++++++++-------------------------------
2 files changed, 29 insertions(+), 42 deletions(-)
proxmox-backup:
Dominik Csapak (1):
pbs-client: use proxmox-https openssl callback
Cargo.toml | 2 +-
pbs-client/src/http_client.rs | 151 ++++++++++++++--------------------
2 files changed, 62 insertions(+), 91 deletions(-)
Summary over all repositories:
11 files changed, 203 insertions(+), 175 deletions(-)
--
Generated by git-murpp 0.8.1
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel