* [pve-devel] [PATCH manager master+stable-8] pve8to9: improve error/log message for tls checks
@ 2025-11-19 9:25 Dominik Csapak
2025-11-19 9:48 ` [pve-devel] applied: " Thomas Lamprecht
0 siblings, 1 reply; 2+ messages in thread
From: Dominik Csapak @ 2025-11-19 9:25 UTC (permalink / raw)
To: pve-devel
we check different key sizes for RSA (2048) vs ECC (224) but the
logs/error always wrote '2048' which can be confusing if ECC keys are
used, for example:
PASS: Certificate 'pveproxy-ssl.pem' passed Debian Busters (and newer) security level for TLS connections (256 >= 2048)
Use the actual size and type we check against in the log/error so reduce
confusion.
The new log line is then:
PASS: Certificate 'pveproxy-ssl.pem' passed Debian Busters (and newer) security level for TLS connections (256 >= 224 ECC)
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
---
this is based on master, but should be cleanly cherry-pickable on
stable-8 currently
PVE/CLI/pve8to9.pm | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/PVE/CLI/pve8to9.pm b/PVE/CLI/pve8to9.pm
index 5a22c229..0c4b2343 100644
--- a/PVE/CLI/pve8to9.pm
+++ b/PVE/CLI/pve8to9.pm
@@ -2257,12 +2257,16 @@ sub check_misc {
next;
}
- if ($size < $check->{minsize}) {
- log_fail("'$fn', certificate's $check->{name} public key size is less than 2048 bit");
+ my $min_size = $check->{minsize};
+ my $name = $check->{name};
+ if ($size < $min_size) {
+ log_fail(
+ "'$fn', certificate's $check->{name} public key size is less than $min_size bit for $name"
+ );
$certs_check_failed = 1;
} else {
log_pass(
- "Certificate '$fn' passed Debian Busters (and newer) security level for TLS connections ($size >= 2048)"
+ "Certificate '$fn' passed Debian Busters (and newer) security level for TLS connections ($size >= $min_size $name)"
);
}
}
--
2.47.3
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
* [pve-devel] applied: [PATCH manager master+stable-8] pve8to9: improve error/log message for tls checks
2025-11-19 9:25 [pve-devel] [PATCH manager master+stable-8] pve8to9: improve error/log message for tls checks Dominik Csapak
@ 2025-11-19 9:48 ` Thomas Lamprecht
0 siblings, 0 replies; 2+ messages in thread
From: Thomas Lamprecht @ 2025-11-19 9:48 UTC (permalink / raw)
To: pve-devel, Dominik Csapak
On Wed, 19 Nov 2025 10:25:59 +0100, Dominik Csapak wrote:
> we check different key sizes for RSA (2048) vs ECC (224) but the
> logs/error always wrote '2048' which can be confusing if ECC keys are
> used, for example:
>
> PASS: Certificate 'pveproxy-ssl.pem' passed Debian Busters (and newer) security level for TLS connections (256 >= 2048)
>
> Use the actual size and type we check against in the log/error so reduce
> confusion.
>
> [...]
Applied, thanks!
[1/1] pve8to9: improve error/log message for tls checks
commit: c689714230b107f59bfce939cd392a3115b24849
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-11-19 9:48 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-11-19 9:25 [pve-devel] [PATCH manager master+stable-8] pve8to9: improve error/log message for tls checks Dominik Csapak
2025-11-19 9:48 ` [pve-devel] applied: " Thomas Lamprecht
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox