From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gate001.proxmox.com (gate001.proxmox.com [45.144.208.40]) by lore.proxmox.com (Postfix) with ESMTPS id F41C51FF13E for ; Wed, 01 Jul 2026 15:35:54 +0200 (CEST) Received: from gate001.proxmox.com (localhost.localdomain [127.0.0.1]) by gate001.proxmox.com (Proxmox) with ESMTP id 30D172138B; Wed, 01 Jul 2026 15:35:54 +0200 (CEST) Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Wed, 01 Jul 2026 15:35:48 +0200 Message-Id: Subject: Re: [PATCH proxmox{,-backup,-websocket-tunnel} v4 0/8] unify openssl callback logic To: "Dominik Csapak" , , X-Mailer: aerc 0.20.0 References: <20260701103120.1593265-1-d.csapak@proxmox.com> In-Reply-To: <20260701103120.1593265-1-d.csapak@proxmox.com> From: "Shannon Sterz" X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1782912944054 X-SPAM-LEVEL: Spam detection results: 0 DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment (newer systems) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: FR546SX2XUWLNSQVZKS7OWVCWWFKZDPU X-Message-ID-Hash: FR546SX2XUWLNSQVZKS7OWVCWWFKZDPU X-MailFrom: s.sterz@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox Backup Server development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Wed Jul 1, 2026 at 12:30 PM CEST, Dominik Csapak wrote: > There are currently 3+ slightly different implementations of the openssl > verify callback in place. They differ in how an explicit fingerprint > would be checked: > > * pbs-client: if verification was on, a valid certificate would trump a > wrong epxlicit fingerprint > * proxmox-websocket-tunnel: if an explicit fingerprint was given, it was > checked, regardless of the openssl result > * proxmox-client: the openssl validity had priority as in pbs-client, > but the fingerprint was not checked against the leaf certificate, but > agains all certificates in the chain (which would lead to false > negatives). Note that this is currently only used in PDM > * PDM client has also a different implementation (not touched here) > > This series aims to unify the general behavior, but design the interface > to be flexible enought to accomodate the different call sites needs. > > I included the change of features for crates, but they have to be bumped > before hand of course and the version must be changed in Cargo.toml. > > There is a patch int the proxmox-http crate is to preserve backwards > compatibility with the current pbs client behavior, but is opt-in via > environment variable (which we might want to enable automatically for the > pbs-client? though this is difficult to do, since the client can and will > be called from scripts or manually) > > Also, since it rather deep in the stack for PBS (remotes sync, etc.) and > PVE (remote migration) IMHO this is a series that should be tested very > well. > > Further work could be to unify this behavior for our perl clients too, > but it seemed out of scope for this series. (notably the PVE::APIClient > and the client used in the SDN code) > > Tests were implemented by Shannon (thanks!) but I refined it's behavior > (see the commit) > > This series partially overlaps/interferes with shannons recent series: > https://lore.proxmox.com/pdm-devel/20260611120327.257523-1-s.sterz@proxmo= x.com/ thanks again, beside the tiny nits i left, consider this: Reviewed-by: Shannon Sterz as for the pbs-client, we should at least set an environment variable for pveproxy/pvedaemon which invoke the client from what i can tell. we should be able to set these via the systemd units. users can then add systemd overrides to opt out again and we can drop them from the units on the next major version (or whenever we official drop the legacy behaviour). for users that use pbs-client directly, im not sure what we can do other than highlighting this change in the changelog.