From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gate001.proxmox.com (gate001.proxmox.com [IPv6:2a0f:8001:1:32::40]) by lore.proxmox.com (Postfix) with ESMTPS id B6FBE1FF13E for ; Wed, 01 Jul 2026 12:32:42 +0200 (CEST) Received: from gate001.proxmox.com (localhost.localdomain [127.0.0.1]) by gate001.proxmox.com (Proxmox) with ESMTP id 4FFB021439; Wed, 01 Jul 2026 12:32:15 +0200 (CEST) From: Dominik Csapak To: pve-devel@lists.proxmox.com, pbs-devel@lists.proxmox.com Subject: [PATCH proxmox{,-backup,-websocket-tunnel} v4 0/8] unify openssl callback logic Date: Wed, 1 Jul 2026 12:30:44 +0200 Message-ID: <20260701103120.1593265-1-d.csapak@proxmox.com> X-Mailer: git-send-email 2.47.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment (newer systems) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: DQSF32OMKM6UST74QSUQ4KZGMF445LT6 X-Message-ID-Hash: DQSF32OMKM6UST74QSUQ4KZGMF445LT6 X-MailFrom: d.csapak@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: There are currently 3+ slightly different implementations of the openssl verify callback in place. They differ in how an explicit fingerprint would be checked: * pbs-client: if verification was on, a valid certificate would trump a wrong epxlicit fingerprint * proxmox-websocket-tunnel: if an explicit fingerprint was given, it was checked, regardless of the openssl result * proxmox-client: the openssl validity had priority as in pbs-client, but the fingerprint was not checked against the leaf certificate, but agains all certificates in the chain (which would lead to false negatives). Note that this is currently only used in PDM * PDM client has also a different implementation (not touched here) This series aims to unify the general behavior, but design the interface to be flexible enought to accomodate the different call sites needs. I included the change of features for crates, but they have to be bumped before hand of course and the version must be changed in Cargo.toml. There is a patch int the proxmox-http crate is to preserve backwards compatibility with the current pbs client behavior, but is opt-in via environment variable (which we might want to enable automatically for the pbs-client? though this is difficult to do, since the client can and will be called from scripts or manually) Also, since it rather deep in the stack for PBS (remotes sync, etc.) and PVE (remote migration) IMHO this is a series that should be tested very well. Further work could be to unify this behavior for our perl clients too, but it seemed out of scope for this series. (notably the PVE::APIClient and the client used in the SDN code) Tests were implemented by Shannon (thanks!) but I refined it's behavior (see the commit) This series partially overlaps/interferes with shannons recent series: https://lore.proxmox.com/pdm-devel/20260611120327.257523-1-s.sterz@proxmox.com/ changes from v3: * include a Fingerprint struct to reuse (also for other sites, eg. PDM) * use much simpler code in callback by always getting the leaf certificate * make backwards compat opt-in instead of opt-out * include shannons tests * adapt usage sites to new interface changes from v2: * rebase on master * add backwards compatibility switch via ENV variable * add patch for pbs to check already verified fingerprints changes from v1: * rebase on master (drops one patch) * drop hex dependency proxmox: Dominik Csapak (4): http: factor out openssl verification callback http: tls: use legacy behavior when PROXMOX_OLD_TLS_CHECK is set to "1" http: tls: add warning if old check behavior is enabled and triggered client: use proxmox-http's openssl verification callback Shannon Sterz (1): http: tls: add integration tests for openssl verify callbacks Cargo.toml | 1 + proxmox-client/Cargo.toml | 2 +- proxmox-client/src/client.rs | 70 ++-- proxmox-http/Cargo.toml | 15 + proxmox-http/src/lib.rs | 5 + proxmox-http/src/tls.rs | 221 ++++++++++ proxmox-http/tests/certs/cert-chain.pem | 46 ++ .../tests/certs/intermediate-cert.pem | 23 + proxmox-http/tests/certs/intermediate-csr.pem | 17 + proxmox-http/tests/certs/intermediate-key.pem | 28 ++ proxmox-http/tests/certs/leaf-cert.pem | 24 ++ proxmox-http/tests/certs/leaf-csr.pem | 17 + proxmox-http/tests/certs/leaf-key.pem | 28 ++ proxmox-http/tests/certs/root-cert.pem | 23 + proxmox-http/tests/certs/root-key.pem | 28 ++ proxmox-http/tests/certs/self-signed-cert.pem | 23 + proxmox-http/tests/certs/self-signed-key.pem | 28 ++ proxmox-http/tests/common/mod.rs | 395 ++++++++++++++++++ proxmox-http/tests/openssl_verify_cb_new.rs | 89 ++++ proxmox-http/tests/openssl_verify_cb_old.rs | 77 ++++ 20 files changed, 1113 insertions(+), 47 deletions(-) create mode 100644 proxmox-http/src/tls.rs create mode 100644 proxmox-http/tests/certs/cert-chain.pem create mode 100644 proxmox-http/tests/certs/intermediate-cert.pem create mode 100644 proxmox-http/tests/certs/intermediate-csr.pem create mode 100644 proxmox-http/tests/certs/intermediate-key.pem create mode 100644 proxmox-http/tests/certs/leaf-cert.pem create mode 100644 proxmox-http/tests/certs/leaf-csr.pem create mode 100644 proxmox-http/tests/certs/leaf-key.pem create mode 100644 proxmox-http/tests/certs/root-cert.pem create mode 100644 proxmox-http/tests/certs/root-key.pem create mode 100644 proxmox-http/tests/certs/self-signed-cert.pem create mode 100644 proxmox-http/tests/certs/self-signed-key.pem create mode 100644 proxmox-http/tests/common/mod.rs create mode 100644 proxmox-http/tests/openssl_verify_cb_new.rs create mode 100644 proxmox-http/tests/openssl_verify_cb_old.rs proxmox-backup: Dominik Csapak (2): pbs-client: use proxmox-https openssl callback pbs-client: honor already verified fingerprint Cargo.toml | 2 +- pbs-client/src/http_client.rs | 183 +++++++++++++++++----------------- 2 files changed, 94 insertions(+), 91 deletions(-) proxmox-websocket-tunnel: Dominik Csapak (1): use proxmox-http's openssl callback Cargo.toml | 4 +-- src/main.rs | 76 +++++++++++++++++++++++++---------------------------- 2 files changed, 37 insertions(+), 43 deletions(-) Summary over all repositories: 24 files changed, 1244 insertions(+), 181 deletions(-) -- Generated by murpp 0.11.0