From: Dominik Csapak <d.csapak@proxmox.com>
To: pve-devel@lists.proxmox.com, pbs-devel@lists.proxmox.com
Subject: [PATCH proxmox{,-backup,-websocket-tunnel} v4 0/8] unify openssl callback logic
Date: Wed, 1 Jul 2026 12:30:44 +0200 [thread overview]
Message-ID: <20260701103120.1593265-1-d.csapak@proxmox.com> (raw)
There are currently 3+ slightly different implementations of the openssl
verify callback in place. They differ in how an explicit fingerprint
would be checked:
* pbs-client: if verification was on, a valid certificate would trump a
wrong epxlicit fingerprint
* proxmox-websocket-tunnel: if an explicit fingerprint was given, it was
checked, regardless of the openssl result
* proxmox-client: the openssl validity had priority as in pbs-client,
but the fingerprint was not checked against the leaf certificate, but
agains all certificates in the chain (which would lead to false
negatives). Note that this is currently only used in PDM
* PDM client has also a different implementation (not touched here)
This series aims to unify the general behavior, but design the interface
to be flexible enought to accomodate the different call sites needs.
I included the change of features for crates, but they have to be bumped
before hand of course and the version must be changed in Cargo.toml.
There is a patch int the proxmox-http crate is to preserve backwards
compatibility with the current pbs client behavior, but is opt-in via
environment variable (which we might want to enable automatically for the
pbs-client? though this is difficult to do, since the client can and will
be called from scripts or manually)
Also, since it rather deep in the stack for PBS (remotes sync, etc.) and
PVE (remote migration) IMHO this is a series that should be tested very
well.
Further work could be to unify this behavior for our perl clients too,
but it seemed out of scope for this series. (notably the PVE::APIClient
and the client used in the SDN code)
Tests were implemented by Shannon (thanks!) but I refined it's behavior
(see the commit)
This series partially overlaps/interferes with shannons recent series:
https://lore.proxmox.com/pdm-devel/20260611120327.257523-1-s.sterz@proxmox.com/
changes from v3:
* include a Fingerprint struct to reuse (also for other sites, eg. PDM)
* use much simpler code in callback by always getting the leaf certificate
* make backwards compat opt-in instead of opt-out
* include shannons tests
* adapt usage sites to new interface
changes from v2:
* rebase on master
* add backwards compatibility switch via ENV variable
* add patch for pbs to check already verified fingerprints
changes from v1:
* rebase on master (drops one patch)
* drop hex dependency
proxmox:
Dominik Csapak (4):
http: factor out openssl verification callback
http: tls: use legacy behavior when PROXMOX_OLD_TLS_CHECK is set to
"1"
http: tls: add warning if old check behavior is enabled and triggered
client: use proxmox-http's openssl verification callback
Shannon Sterz (1):
http: tls: add integration tests for openssl verify callbacks
Cargo.toml | 1 +
proxmox-client/Cargo.toml | 2 +-
proxmox-client/src/client.rs | 70 ++--
proxmox-http/Cargo.toml | 15 +
proxmox-http/src/lib.rs | 5 +
proxmox-http/src/tls.rs | 221 ++++++++++
proxmox-http/tests/certs/cert-chain.pem | 46 ++
.../tests/certs/intermediate-cert.pem | 23 +
proxmox-http/tests/certs/intermediate-csr.pem | 17 +
proxmox-http/tests/certs/intermediate-key.pem | 28 ++
proxmox-http/tests/certs/leaf-cert.pem | 24 ++
proxmox-http/tests/certs/leaf-csr.pem | 17 +
proxmox-http/tests/certs/leaf-key.pem | 28 ++
proxmox-http/tests/certs/root-cert.pem | 23 +
proxmox-http/tests/certs/root-key.pem | 28 ++
proxmox-http/tests/certs/self-signed-cert.pem | 23 +
proxmox-http/tests/certs/self-signed-key.pem | 28 ++
proxmox-http/tests/common/mod.rs | 395 ++++++++++++++++++
proxmox-http/tests/openssl_verify_cb_new.rs | 89 ++++
proxmox-http/tests/openssl_verify_cb_old.rs | 77 ++++
20 files changed, 1113 insertions(+), 47 deletions(-)
create mode 100644 proxmox-http/src/tls.rs
create mode 100644 proxmox-http/tests/certs/cert-chain.pem
create mode 100644 proxmox-http/tests/certs/intermediate-cert.pem
create mode 100644 proxmox-http/tests/certs/intermediate-csr.pem
create mode 100644 proxmox-http/tests/certs/intermediate-key.pem
create mode 100644 proxmox-http/tests/certs/leaf-cert.pem
create mode 100644 proxmox-http/tests/certs/leaf-csr.pem
create mode 100644 proxmox-http/tests/certs/leaf-key.pem
create mode 100644 proxmox-http/tests/certs/root-cert.pem
create mode 100644 proxmox-http/tests/certs/root-key.pem
create mode 100644 proxmox-http/tests/certs/self-signed-cert.pem
create mode 100644 proxmox-http/tests/certs/self-signed-key.pem
create mode 100644 proxmox-http/tests/common/mod.rs
create mode 100644 proxmox-http/tests/openssl_verify_cb_new.rs
create mode 100644 proxmox-http/tests/openssl_verify_cb_old.rs
proxmox-backup:
Dominik Csapak (2):
pbs-client: use proxmox-https openssl callback
pbs-client: honor already verified fingerprint
Cargo.toml | 2 +-
pbs-client/src/http_client.rs | 183 +++++++++++++++++-----------------
2 files changed, 94 insertions(+), 91 deletions(-)
proxmox-websocket-tunnel:
Dominik Csapak (1):
use proxmox-http's openssl callback
Cargo.toml | 4 +--
src/main.rs | 76 +++++++++++++++++++++++++----------------------------
2 files changed, 37 insertions(+), 43 deletions(-)
Summary over all repositories:
24 files changed, 1244 insertions(+), 181 deletions(-)
--
Generated by murpp 0.11.0
next reply other threads:[~2026-07-01 10:32 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-01 10:30 Dominik Csapak [this message]
2026-07-01 10:30 ` [PATCH proxmox v4 1/8] http: factor out openssl verification callback Dominik Csapak
2026-07-01 10:30 ` [PATCH proxmox v4 2/8] http: tls: use legacy behavior when PROXMOX_OLD_TLS_CHECK is set to "1" Dominik Csapak
2026-07-01 13:36 ` Shannon Sterz
2026-07-01 10:30 ` [PATCH proxmox v4 3/8] http: tls: add warning if old check behavior is enabled and triggered Dominik Csapak
2026-07-01 10:30 ` [PATCH proxmox v4 4/8] http: tls: add integration tests for openssl verify callbacks Dominik Csapak
2026-07-01 10:30 ` [PATCH proxmox v4 5/8] client: use proxmox-http's openssl verification callback Dominik Csapak
2026-07-01 10:30 ` [PATCH proxmox-backup v4 6/8] pbs-client: use proxmox-https openssl callback Dominik Csapak
2026-07-01 13:36 ` Shannon Sterz
2026-07-01 10:30 ` [PATCH proxmox-backup v4 7/8] pbs-client: honor already verified fingerprint Dominik Csapak
2026-07-01 10:30 ` [PATCH proxmox-websocket-tunnel v4 8/8] use proxmox-http's openssl callback Dominik Csapak
2026-07-01 13:35 ` Shannon Sterz
2026-07-01 13:35 ` [PATCH proxmox{,-backup,-websocket-tunnel} v4 0/8] unify openssl callback logic Shannon Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260701103120.1593265-1-d.csapak@proxmox.com \
--to=d.csapak@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox