* [pmg-devel] [PATCH pmg-api 1/2] pass TLS 1.3 ciphersuites if set [not found] <20211217125733.548305-1-f.gruenbichler@proxmox.com> @ 2021-12-17 13:00 ` Fabian Grünbichler 2021-12-17 13:00 ` [pmg-devel] [PATCH pmg-api 2/2] pass disable TLS 1.2/1.3 options Fabian Grünbichler ` (2 more replies) 0 siblings, 3 replies; 6+ messages in thread From: Fabian Grünbichler @ 2021-12-17 13:00 UTC (permalink / raw) To: pmg-devel Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> --- requires http-server patches https://lists.proxmox.com/pipermail/pve-devel/2021-December/051227.html src/PMG/Service/pmgproxy.pm | 1 + 1 file changed, 1 insertion(+) diff --git a/src/PMG/Service/pmgproxy.pm b/src/PMG/Service/pmgproxy.pm index 0efde23..cde6d3c 100755 --- a/src/PMG/Service/pmgproxy.pm +++ b/src/PMG/Service/pmgproxy.pm @@ -104,6 +104,7 @@ sub init { cert_file => '/etc/pmg/pmg-api.pem', dh => 'skip2048', cipher_list => $proxyconf->{CIPHERS}, + ciphersuites => $proxyconf->{CIPHERSUITES}, honor_cipher_order => $proxyconf->{HONOR_CIPHER_ORDER}, }, compression => $proxyconf->{COMPRESSION}, -- 2.30.2 ^ permalink raw reply [flat|nested] 6+ messages in thread
* [pmg-devel] [PATCH pmg-api 2/2] pass disable TLS 1.2/1.3 options 2021-12-17 13:00 ` [pmg-devel] [PATCH pmg-api 1/2] pass TLS 1.3 ciphersuites if set Fabian Grünbichler @ 2021-12-17 13:00 ` Fabian Grünbichler 2022-02-03 10:32 ` [pmg-devel] applied: " Thomas Lamprecht 2021-12-17 13:00 ` [pmg-devel] [PATCH pmg-docs] pmgproxy: document newly added options Fabian Grünbichler 2022-02-03 10:32 ` [pmg-devel] applied: [PATCH pmg-api 1/2] pass TLS 1.3 ciphersuites if set Thomas Lamprecht 2 siblings, 1 reply; 6+ messages in thread From: Fabian Grünbichler @ 2021-12-17 13:00 UTC (permalink / raw) To: pmg-devel Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> --- requires http-server patches https://lists.proxmox.com/pipermail/pve-devel/2021-December/051227.html src/PMG/Service/pmgproxy.pm | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/PMG/Service/pmgproxy.pm b/src/PMG/Service/pmgproxy.pm index cde6d3c..5334e6f 100755 --- a/src/PMG/Service/pmgproxy.pm +++ b/src/PMG/Service/pmgproxy.pm @@ -129,6 +129,12 @@ sub init { if (defined($proxyconf->{DHPARAMS})) { $self->{server_config}->{ssl}->{dh_file} = $proxyconf->{DHPARAMS}; } + if (defined($proxyconf->{DISABLE_TLS_1_2})) { + $self->{server_config}->{ssl}->{tlsv1_2} = !$proxyconf->{DISABLE_TLS_1_2}; + } + if (defined($proxyconf->{DISABLE_TLS_1_3})) { + $self->{server_config}->{ssl}->{tlsv1_3} = !$proxyconf->{DISABLE_TLS_1_3}; + } } sub run { -- 2.30.2 ^ permalink raw reply [flat|nested] 6+ messages in thread
* [pmg-devel] applied: [PATCH pmg-api 2/2] pass disable TLS 1.2/1.3 options 2021-12-17 13:00 ` [pmg-devel] [PATCH pmg-api 2/2] pass disable TLS 1.2/1.3 options Fabian Grünbichler @ 2022-02-03 10:32 ` Thomas Lamprecht 0 siblings, 0 replies; 6+ messages in thread From: Thomas Lamprecht @ 2022-02-03 10:32 UTC (permalink / raw) To: Fabian Grünbichler, pmg-devel On 17.12.21 14:00, Fabian Grünbichler wrote: > Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> > --- > requires http-server patches > https://lists.proxmox.com/pipermail/pve-devel/2021-December/051227.html > > src/PMG/Service/pmgproxy.pm | 6 ++++++ > 1 file changed, 6 insertions(+) > > applied, thanks! ^ permalink raw reply [flat|nested] 6+ messages in thread
* [pmg-devel] [PATCH pmg-docs] pmgproxy: document newly added options 2021-12-17 13:00 ` [pmg-devel] [PATCH pmg-api 1/2] pass TLS 1.3 ciphersuites if set Fabian Grünbichler 2021-12-17 13:00 ` [pmg-devel] [PATCH pmg-api 2/2] pass disable TLS 1.2/1.3 options Fabian Grünbichler @ 2021-12-17 13:00 ` Fabian Grünbichler 2022-02-03 10:32 ` [pmg-devel] applied: " Thomas Lamprecht 2022-02-03 10:32 ` [pmg-devel] applied: [PATCH pmg-api 1/2] pass TLS 1.3 ciphersuites if set Thomas Lamprecht 2 siblings, 1 reply; 6+ messages in thread From: Fabian Grünbichler @ 2021-12-17 13:00 UTC (permalink / raw) To: pmg-devel adapted from pve-docs -> pveproxy Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> --- pmgproxy.adoc | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/pmgproxy.adoc b/pmgproxy.adoc index 6e48fba..101f269 100644 --- a/pmgproxy.adoc +++ b/pmgproxy.adoc @@ -125,7 +125,10 @@ should set a maintenance window to bring this change into effect. SSL Cipher Suite ---------------- -You can define the cipher list in `/etc/default/pmgproxy`, for example: +You can define the cipher list in `/etc/default/pmgproxy`, via the `CIPHERS` +(TLS <= 1.2) and `CIPHERSUITES` (TLS >= 1.3) keys. + +For example: CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" @@ -141,6 +144,25 @@ by disabling the HONOR_CIPHER_ORDER option in `/etc/default/pmgproxy`: HONOR_CIPHER_ORDER=0 +Supported TLS versions +---------------------- + +The insecure SSL versions 2 and 3 are unconditionally disabled for `pmgproxy`. +TLS versions below 1.1 are disabled by default on recent OpenSSL versions, +which is honored by `pmgproxy` (see `/etc/ssl/openssl.cnf`). + +To disable TLS version 1.2, set the following in `/etc/default/pmgproxy`: + + DISABLE_TLS_1_2=1 + +or, respectively, to disable TLS version 1.3: + + DISABLE_TLS_1_3=1 + +NOTE: Unless there is a specific reason to do so, it is not recommended to +manually adjust the supported TLS versions. + + Diffie-Hellman Parameters ------------------------- -- 2.30.2 ^ permalink raw reply [flat|nested] 6+ messages in thread
* [pmg-devel] applied: [PATCH pmg-docs] pmgproxy: document newly added options 2021-12-17 13:00 ` [pmg-devel] [PATCH pmg-docs] pmgproxy: document newly added options Fabian Grünbichler @ 2022-02-03 10:32 ` Thomas Lamprecht 0 siblings, 0 replies; 6+ messages in thread From: Thomas Lamprecht @ 2022-02-03 10:32 UTC (permalink / raw) To: Fabian Grünbichler, pmg-devel On 17.12.21 14:00, Fabian Grünbichler wrote: > adapted from pve-docs -> pveproxy > > Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> > --- > pmgproxy.adoc | 24 +++++++++++++++++++++++- > 1 file changed, 23 insertions(+), 1 deletion(-) > > applied, thanks! ^ permalink raw reply [flat|nested] 6+ messages in thread
* [pmg-devel] applied: [PATCH pmg-api 1/2] pass TLS 1.3 ciphersuites if set 2021-12-17 13:00 ` [pmg-devel] [PATCH pmg-api 1/2] pass TLS 1.3 ciphersuites if set Fabian Grünbichler 2021-12-17 13:00 ` [pmg-devel] [PATCH pmg-api 2/2] pass disable TLS 1.2/1.3 options Fabian Grünbichler 2021-12-17 13:00 ` [pmg-devel] [PATCH pmg-docs] pmgproxy: document newly added options Fabian Grünbichler @ 2022-02-03 10:32 ` Thomas Lamprecht 2 siblings, 0 replies; 6+ messages in thread From: Thomas Lamprecht @ 2022-02-03 10:32 UTC (permalink / raw) To: Fabian Grünbichler, pmg-devel On 17.12.21 14:00, Fabian Grünbichler wrote: > Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> > --- > requires http-server patches > https://lists.proxmox.com/pipermail/pve-devel/2021-December/051227.html > > src/PMG/Service/pmgproxy.pm | 1 + > 1 file changed, 1 insertion(+) > > applied, thanks! ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2022-02-03 10:33 UTC | newest] Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <20211217125733.548305-1-f.gruenbichler@proxmox.com> 2021-12-17 13:00 ` [pmg-devel] [PATCH pmg-api 1/2] pass TLS 1.3 ciphersuites if set Fabian Grünbichler 2021-12-17 13:00 ` [pmg-devel] [PATCH pmg-api 2/2] pass disable TLS 1.2/1.3 options Fabian Grünbichler 2022-02-03 10:32 ` [pmg-devel] applied: " Thomas Lamprecht 2021-12-17 13:00 ` [pmg-devel] [PATCH pmg-docs] pmgproxy: document newly added options Fabian Grünbichler 2022-02-03 10:32 ` [pmg-devel] applied: " Thomas Lamprecht 2022-02-03 10:32 ` [pmg-devel] applied: [PATCH pmg-api 1/2] pass TLS 1.3 ciphersuites if set Thomas Lamprecht
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox