From: Shannon Sterz <s.sterz@proxmox.com>
To: pdm-devel@lists.proxmox.com
Subject: [PATCH datacenter-manager 09/17] server: connection: report mismatching fingerprint as untrusted on probe
Date: Thu, 11 Jun 2026 14:03:19 +0200 [thread overview]
Message-ID: <20260611120327.257523-10-s.sterz@proxmox.com> (raw)
In-Reply-To: <20260611120327.257523-1-s.sterz@proxmox.com>
instead of erroring out. previously this function returned a
connection error if the provided fingerprint did not match the
remote's fingerprint. instead, report the certificate as untrusted,
giving client's more appropriate information in such cases.
note that while the documentation for this function was technically
correct, the probe_tls endpoints for pve and pbs remotes stated:
> If the certificate is not trusted with the given parameters, returns
> the certificate information.
however, that was incorrect, since the endpoints returned an error if
the fingerprint did not match. since those two endpoints are currently
the only users that could actually provide a fingerprint (all other
callers explicitly provide `None`), this is more of a bug fix than a
public api break.
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
server/src/connection.rs | 62 ++++++++++++++++++++++++++++------------
1 file changed, 43 insertions(+), 19 deletions(-)
diff --git a/server/src/connection.rs b/server/src/connection.rs
index 7ad1a5b9..f8b277da 100644
--- a/server/src/connection.rs
+++ b/server/src/connection.rs
@@ -15,12 +15,14 @@ use std::time::{Duration, SystemTime};
use anyhow::{Error, bail, format_err};
use http::Method;
use http::uri::Authority;
+use openssl::hash::MessageDigest;
use openssl::x509::X509StoreContextRef;
use serde::Serialize;
use proxmox_acme_api::CertificateInfo;
use proxmox_client::{Client, HttpApiClient, HttpApiResponse, HttpApiResponseStream, TlsOptions};
+use pdm_api_types::Fingerprint;
use pdm_api_types::remotes::{NodeUrl, Remote, RemoteType, TlsProbeOutcome};
use pve_api_types::client::PveClientImpl;
@@ -867,7 +869,7 @@ impl HttpApiClient for MultiClient {
/// Checks TLS connection to the given remote
///
/// Returns `Ok(TlsProbeOutcome::TrustedCertificate)` if connecting with the given parameters works
-/// Returns `Ok(TlsProbeOutcome::UntrustedCertificate)` if no fingerprint was given and some certificate could not be validated
+/// Returns `Ok(TlsProbeOutcome::UntrustedCertificate)` if the provided fingerprint does not match or a certificate could not be validated
/// Returns `Err(err)` if some other error occurred
///
/// # Example
@@ -902,25 +904,47 @@ pub async fn probe_tls_connection(
// to save the invalid cert we find
let invalid_cert = Arc::new(StdMutex::new(None));
- let options = if let Some(fp) = &fingerprint {
- TlsOptions::parse_fingerprint(fp)?
- } else {
- TlsOptions::Callback(Box::new({
- let invalid_cert = invalid_cert.clone();
- move |valid: bool, chain: &mut X509StoreContextRef| {
- if let Some(cert) = chain.current_cert() {
- if !valid {
- let cert = cert
- .to_pem()
- .map_err(Error::from)
- .and_then(|pem| CertificateInfo::from_pem("", &pem));
- *invalid_cert.lock().unwrap() = Some(cert);
- }
- }
- true
+ let fingerprint = fingerprint
+ .map(|fp| fp.parse::<Fingerprint>())
+ .transpose()?;
+
+ let options = TlsOptions::Callback(Box::new({
+ let invalid_cert = invalid_cert.clone();
+ move |valid: bool, chain: &mut X509StoreContextRef| {
+ // If no fingerprint was provided and the trust store trusts the certificate, the
+ // connection is valid.
+ if fingerprint.is_none() && valid {
+ return true;
}
- }))
- };
+
+ let Some(cert) = chain.current_cert() else {
+ return true;
+ };
+
+ // If a fingerprint was provided and the certificate matches it, the connection is
+ // valid.
+ if let Some(provided_fp) = &fingerprint {
+ if cert
+ .digest(MessageDigest::sha256())
+ .map(|fp| *fp == **provided_fp)
+ .unwrap_or(false)
+ {
+ return true;
+ }
+ }
+
+ // Otherwise, the certificate is not trusted.
+ let cert = cert
+ .to_pem()
+ .map_err(Error::from)
+ .and_then(|pem| CertificateInfo::from_pem("", &pem));
+
+ *invalid_cert.lock().unwrap() = Some(cert);
+
+ true
+ }
+ }));
+
let client = proxmox_client::Client::with_options(uri, options, Default::default())?;
// set fake auth info. we don't need any, but the proxmox client will return unauthenticated if
--
2.47.3
next prev parent reply other threads:[~2026-06-11 12:04 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-11 12:03 [RFC cluster/datacenter-manager/manager/proxmox 00/17] TLS Certificate Staging Shannon Sterz
2026-06-11 12:03 ` [PATCH cluster 01/17] setup: allow caller to provide the certificate filename Shannon Sterz
2026-06-11 12:03 ` [PATCH manager 02/17] bin/api: add a new staged certificate when renewing self-signed cert Shannon Sterz
2026-06-11 12:03 ` [PATCH manager 03/17] api: certificates: if node parameter is 'localhost' return local certs Shannon Sterz
2026-06-11 12:03 ` [PATCH proxmox 04/17] client: ignore certificate trust store validation result on fp option Shannon Sterz
2026-06-11 12:03 ` [PATCH proxmox 05/17] pve-api-types: expose certificates info endpoint Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 06/17] client: don't short-circuit on valid certificate when tls fp exists Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 07/17] client: allow users to update a changed fingerprint interactively Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 08/17] cli/api-types: move Fingerprint to common api type crate Shannon Sterz
2026-06-11 12:03 ` Shannon Sterz [this message]
2026-06-11 12:03 ` [PATCH datacenter-manager 10/17] ui: wizzard: add context if a provided fingerprint did not match remote Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 11/17] ui: wizzard: nodes page: always update fingerprints on user confirmation Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 12/17] pdm-api-types: implement ApiType for Fingerprint Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 13/17] pdm-api-types: add staged_fingerprints field to NodeUrl Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 14/17] server: remotes: lock remotes config when updating it Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 15/17] server: connection: rotate in staged fingerprints when encountering them Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 16/17] server: api: tasks: move `spawn_aborted_on_shutdown()` to super module Shannon Sterz
2026-06-11 12:03 ` [PATCH datacenter-manager 17/17] server: bin: api: tasks: add task to discover new staged certificates Shannon Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260611120327.257523-10-s.sterz@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=pdm-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox