From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gate001.proxmox.com (gate001.proxmox.com [IPv6:2a0f:8001:1:32::40]) by lore.proxmox.com (Postfix) with ESMTPS id A95131FF13E for ; Wed, 01 Jul 2026 12:31:36 +0200 (CEST) Received: from gate001.proxmox.com (localhost.localdomain [127.0.0.1]) by gate001.proxmox.com (Proxmox) with ESMTP id 8BF842149F; Wed, 01 Jul 2026 12:31:26 +0200 (CEST) From: Dominik Csapak To: pve-devel@lists.proxmox.com, pbs-devel@lists.proxmox.com Subject: [PATCH proxmox v4 3/8] http: tls: add warning if old check behavior is enabled and triggered Date: Wed, 1 Jul 2026 12:30:47 +0200 Message-ID: <20260701103120.1593265-4-d.csapak@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260701103120.1593265-1-d.csapak@proxmox.com> References: <20260701103120.1593265-1-d.csapak@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment (newer systems) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: UIWRSPKA6N42JYDWRNKMTHSFYMG2QBMW X-Message-ID-Hash: UIWRSPKA6N42JYDWRNKMTHSFYMG2QBMW X-MailFrom: d.csapak@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: only warn if we encounter the situation that a given fingerprint does not match but we accept it anyway since openssl has priority due to PROXMOX_OLD_TLS_CHECK=1. Signed-off-by: Dominik Csapak --- proxmox-http/Cargo.toml | 2 ++ proxmox-http/src/tls.rs | 8 ++++++++ 2 files changed, 10 insertions(+) diff --git a/proxmox-http/Cargo.toml b/proxmox-http/Cargo.toml index cdc2861b..8a6af43c 100644 --- a/proxmox-http/Cargo.toml +++ b/proxmox-http/Cargo.toml @@ -21,6 +21,7 @@ http-body = { workspace = true, optional = true } http-body-util = { workspace = true, optional = true } hyper = { workspace = true, optional = true } hyper-util = { workspace = true, optional = true, features = ["http2"] } +log = { workspace = true, optional = true } native-tls = { workspace = true, optional = true } openssl = { version = "0.10", optional = true } serde = { workspace = true, optional = true } @@ -110,6 +111,7 @@ websocket = [ "body", ] tls = [ + "dep:log", "dep:openssl", "dep:hex", "dep:thiserror", diff --git a/proxmox-http/src/tls.rs b/proxmox-http/src/tls.rs index abdf51e9..3c68be9d 100644 --- a/proxmox-http/src/tls.rs +++ b/proxmox-http/src/tls.rs @@ -176,6 +176,14 @@ pub fn openssl_verify_callback( let old_check = matches!(std::env::var(PROXMOX_OLD_TLS_CHECK_VAR).as_deref(), Ok("1")); if old_check && openssl_valid { + if ctx.error_depth() == 0 && expected_fp.is_some() && expected_fp != get_leaf_fp(ctx).ok() { + log::warn!( + "Mismatched fingerprint given, but openssl result was valid, ignoring fingerprint!" + ); + log::warn!( + "To switch to new behavior remove PROXMOX_OLD_TLS_CHECK=1 from your environment." + ); + } return Ok(()); } -- 2.47.3