From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id BEF226BD27 for ; Thu, 18 Mar 2021 16:15:50 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id B58891B27D for ; Thu, 18 Mar 2021 16:15:20 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [212.186.127.180]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 351691B262 for ; Thu, 18 Mar 2021 16:15:19 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id EA9FF46357 for ; Thu, 18 Mar 2021 16:15:18 +0100 (CET) From: Stoiko Ivanov To: pmg-devel@lists.proxmox.com Date: Thu, 18 Mar 2021 16:14:48 +0100 Message-Id: <20210318151449.18638-4-s.ivanov@proxmox.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210318151449.18638-1-s.ivanov@proxmox.com> References: <20210318151449.18638-1-s.ivanov@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.062 Adjusted score from AWL reputation of From: address KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_DNSWL_MED -2.3 Sender listed at https://www.dnswl.org/, medium trust SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [cluster.pm] Subject: [pmg-devel] [PATCH pmg-api 3/4] cluster: use old and new fingerprint on master X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Mar 2021 15:15:50 -0000 when triggering a fingerprint update on master right after reloading pmgproxy as we do for ACME certificates it can happen that the connection is made against the old pmgproxy process (with the old fingerprint). Simply trusting both fingerprints in that case seems acceptable from a security perspective and makes the fingerprint update more robust Signed-off-by: Stoiko Ivanov --- src/PMG/Cluster.pm | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/PMG/Cluster.pm b/src/PMG/Cluster.pm index e7bf266..acaea8d 100644 --- a/src/PMG/Cluster.pm +++ b/src/PMG/Cluster.pm @@ -316,11 +316,13 @@ sub trigger_update_fingerprints { my ($cinfo) = @_; my $master = $cinfo->{master} || die "unable to lookup master node\n"; - my $master_fp = $master->{fingerprint}; + my $cached_fp = { $master->{fingerprint} => 1 }; # if running on master the current fingerprint for the API-connection is needed + # in addition (to prevent races with restarting pmgproxy if ($cinfo->{local}->{type} eq 'master') { - $master_fp = PMG::Cluster::read_local_ssl_cert_fingerprint(); + my $new_fp = PMG::Cluster::read_local_ssl_cert_fingerprint(); + $cached_fp->{$new_fp} = 1; } my $ticket = PMG::Ticket::assemble_ticket('root@pam'); @@ -330,10 +332,8 @@ sub trigger_update_fingerprints { csrftoken => $csrftoken, cookie_name => 'PMGAuthCookie', host => $master->{ip}, - cached_fingerprints => { - $master_fp => 1, - }, - ); + cached_fingerprints => $cached_fp, + ); $conn->post("/config/cluster/update-fingerprints", {}); return undef; -- 2.20.1