public inbox for pbs-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: "Shannon Sterz" <s.sterz@proxmox.com>
To: "Dominik Csapak" <d.csapak@proxmox.com>,
	<pve-devel@lists.proxmox.com>, <pbs-devel@lists.proxmox.com>
Subject: Re: [PATCH proxmox{,-backup,-websocket-tunnel} v4 0/8] unify openssl callback logic
Date: Wed, 01 Jul 2026 15:35:48 +0200	[thread overview]
Message-ID: <DJN9W5FW4PX2.2ACLXZOEXXEJA@proxmox.com> (raw)
In-Reply-To: <20260701103120.1593265-1-d.csapak@proxmox.com>

On Wed Jul 1, 2026 at 12:30 PM CEST, Dominik Csapak wrote:
> There are currently 3+ slightly different implementations of the openssl
> verify callback in place. They differ in how an explicit fingerprint
> would be checked:
>
> * pbs-client: if verification was on, a valid certificate would trump a
>   wrong epxlicit fingerprint
> * proxmox-websocket-tunnel: if an explicit fingerprint was given, it was
>   checked, regardless of the openssl result
> * proxmox-client: the openssl validity had priority as in pbs-client,
>   but the fingerprint was not checked against the leaf certificate, but
>   agains all certificates in the chain (which would lead to false
>   negatives). Note that this is currently only used in PDM
> * PDM client has also a different implementation (not touched here)
>
> This series aims to unify the general behavior, but design the interface
> to be flexible enought to accomodate the different call sites needs.
>
> I included the change of features for crates, but they have to be bumped
> before hand of course and the version must be changed in Cargo.toml.
>
> There is a patch int the proxmox-http crate is to preserve backwards
> compatibility with the current pbs client behavior, but is opt-in via
> environment variable (which we might want to enable automatically for the
> pbs-client? though this is difficult to do, since the client can and will
> be called from scripts or manually)
>
> Also, since it rather deep in the stack for PBS (remotes sync, etc.) and
> PVE (remote migration) IMHO this is a series that should be tested very
> well.
>
> Further work could be to unify this behavior for our perl clients too,
> but it seemed out of scope for this series. (notably the PVE::APIClient
> and the client used in the SDN code)
>
> Tests were implemented by Shannon (thanks!) but I refined it's behavior
> (see the commit)
>
> This series partially overlaps/interferes with shannons recent series:
> https://lore.proxmox.com/pdm-devel/20260611120327.257523-1-s.sterz@proxmox.com/

thanks again, beside the tiny nits i left, consider this:

Reviewed-by: Shannon Sterz <s.sterz@proxmox.com>

as for the pbs-client, we should at least set an environment variable
for pveproxy/pvedaemon which invoke the client from what i can tell. we
should be able to set these via the systemd units. users can then add
systemd overrides to opt out again and we can drop them from the units
on the next major version (or whenever we official drop the legacy
behaviour).

for users that use pbs-client directly, im not sure what we can do other
than highlighting this change in the changelog.




      parent reply	other threads:[~2026-07-01 13:35 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01 10:30 [PATCH proxmox{,-backup,-websocket-tunnel} v4 0/8] unify openssl callback logic Dominik Csapak
2026-07-01 10:30 ` [PATCH proxmox v4 1/8] http: factor out openssl verification callback Dominik Csapak
2026-07-01 10:30 ` [PATCH proxmox v4 2/8] http: tls: use legacy behavior when PROXMOX_OLD_TLS_CHECK is set to "1" Dominik Csapak
2026-07-01 13:36   ` Shannon Sterz
2026-07-01 10:30 ` [PATCH proxmox v4 3/8] http: tls: add warning if old check behavior is enabled and triggered Dominik Csapak
2026-07-01 10:30 ` [PATCH proxmox v4 4/8] http: tls: add integration tests for openssl verify callbacks Dominik Csapak
2026-07-01 10:30 ` [PATCH proxmox v4 5/8] client: use proxmox-http's openssl verification callback Dominik Csapak
2026-07-01 10:30 ` [PATCH proxmox-backup v4 6/8] pbs-client: use proxmox-https openssl callback Dominik Csapak
2026-07-01 13:36   ` Shannon Sterz
2026-07-01 10:30 ` [PATCH proxmox-backup v4 7/8] pbs-client: honor already verified fingerprint Dominik Csapak
2026-07-01 10:30 ` [PATCH proxmox-websocket-tunnel v4 8/8] use proxmox-http's openssl callback Dominik Csapak
2026-07-01 13:35   ` Shannon Sterz
2026-07-01 13:35 ` Shannon Sterz [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DJN9W5FW4PX2.2ACLXZOEXXEJA@proxmox.com \
    --to=s.sterz@proxmox.com \
    --cc=d.csapak@proxmox.com \
    --cc=pbs-devel@lists.proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal