From: Stoiko Ivanov <s.ivanov@proxmox.com>
To: "Fabian Grünbichler" <f.gruenbichler@proxmox.com>
Cc: Proxmox VE development discussion <pve-devel@lists.proxmox.com>
Subject: Re: [pve-devel] [PATCH http-server 1/3] fix #3790: allow setting TLS 1.3 cipher suites
Date: Mon, 20 Dec 2021 18:57:29 +0100 [thread overview]
Message-ID: <20211220185729.14549a90@rosa.proxmox.com> (raw)
In-Reply-To: <20211217125733.548305-2-f.gruenbichler@proxmox.com>
Thanks for tackling this!
gave it a spin - works as advertised
one thing I think could be improved - is that currently nothing is logged
when CIPHERSUITES is set to an invalid setting.
(tested with "garbage TLS_CHACHA20_POLY1305_SHA256")
with TLS1.2 CIPHERS the log gets filled with:
'garbage' was not accepted as a valid cipher list by AnyEvent::TLS at /usr/share/perl5/PVE/APIServer/AnyEvent.pm line 1913.
The handling of openssl seems kinda sane[0] (fallback to the default list
if the provided one is not recognized) - so I think simply a
syslog('warn', - might help as feedback to users
(quickly tested it - Net::SSLeay::CTX_set_ciphersuites returns '0' if it
did not set the list).
[0]
https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html
On Fri, 17 Dec 2021 13:57:27 +0100
Fabian Grünbichler <f.gruenbichler@proxmox.com> wrote:
> like the TLS <= 1.2 cipher list, but needs a different option since the
> format and values are incompatible. AnyEvent doesn't yet handle this
> directly like the cipher list, so set it directly on the context.
>
> requires corresponding patch in pve-manager (which reads the config, and
> passes relevant parts back to the API server).
>
> Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
> ---
> src/PVE/APIServer/AnyEvent.pm | 4 ++++
> src/PVE/APIServer/Utils.pm | 3 +++
> 2 files changed, 7 insertions(+)
>
> diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
> index f0305b3..e31cf7d 100644
> --- a/src/PVE/APIServer/AnyEvent.pm
> +++ b/src/PVE/APIServer/AnyEvent.pm
> @@ -1885,6 +1885,9 @@ sub new {
> honor_cipher_order => 1,
> };
>
> + # workaround until anyevent supports TLS 1.3 ciphersuites directly
> + my $ciphersuites = delete $self->{ssl}->{ciphersuites};
> +
> foreach my $k (keys %$ssl_defaults) {
> $self->{ssl}->{$k} //= $ssl_defaults->{$k};
> }
> @@ -1904,6 +1907,7 @@ sub new {
>
> $self->{tls_ctx} = AnyEvent::TLS->new(%{$self->{ssl}});
> Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, $tls_ctx_flags);
> + Net::SSLeay::CTX_set_ciphersuites($self->{tls_ctx}->{ctx}, $ciphersuites) if defined($ciphersuites);
> }
>
> if ($self->{spiceproxy}) {
> diff --git a/src/PVE/APIServer/Utils.pm b/src/PVE/APIServer/Utils.pm
> index 449d764..0124f44 100644
> --- a/src/PVE/APIServer/Utils.pm
> +++ b/src/PVE/APIServer/Utils.pm
> @@ -19,6 +19,7 @@ sub read_proxy_config {
> $shcmd .= 'echo \"DENY_FROM:\$DENY_FROM\";';
> $shcmd .= 'echo \"POLICY:\$POLICY\";';
> $shcmd .= 'echo \"CIPHERS:\$CIPHERS\";';
> + $shcmd .= 'echo \"CIPHERSUITES:\$CIPHERSUITES\";';
> $shcmd .= 'echo \"DHPARAMS:\$DHPARAMS\";';
> $shcmd .= 'echo \"HONOR_CIPHER_ORDER:\$HONOR_CIPHER_ORDER\";';
> $shcmd .= 'echo \"COMPRESSION:\$COMPRESSION\";';
> @@ -48,6 +49,8 @@ sub read_proxy_config {
> $res->{$key} = $value;
> } elsif ($key eq 'CIPHERS') {
> $res->{$key} = $value;
> + } elsif ($key eq 'CIPHERSUITES') {
> + $res->{$key} = $value;
> } elsif ($key eq 'DHPARAMS') {
> $res->{$key} = $value;
> } elsif ($key eq 'HONOR_CIPHER_ORDER' || $key eq 'COMPRESSION') {
next prev parent reply other threads:[~2021-12-20 17:58 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-17 12:57 [pve-devel] [PATCH http-server/manager/pmg-api/docs 0/10] expose more TLS knobs Fabian Grünbichler
2021-12-17 12:57 ` [pve-devel] [PATCH http-server 1/3] fix #3790: allow setting TLS 1.3 cipher suites Fabian Grünbichler
2021-12-20 17:57 ` Stoiko Ivanov [this message]
2021-12-17 12:57 ` [pve-devel] [PATCH http-server 2/3] fix #3745: allow overriding TLS key location Fabian Grünbichler
2021-12-17 12:57 ` [pve-devel] [PATCH http-server 3/3] fix #3789: allow disabling TLS v1.2/v1.3 Fabian Grünbichler
2021-12-17 12:57 ` [pve-devel] [PATCH manager 1/3] fix #3790: pass TLS 1.3 ciphersuites if set Fabian Grünbichler
2021-12-17 12:57 ` [pve-devel] [PATCH manager 2/3] fix #3745: handle overridden TLS key location Fabian Grünbichler
2021-12-17 12:57 ` [pve-devel] [PATCH manager 3/3] fix #3789: pass disable TLS 1.2/1.3 options Fabian Grünbichler
2021-12-17 12:57 ` [pve-devel] [PATCH docs] pveproxy: document newly added options Fabian Grünbichler
2021-12-20 18:00 ` Stoiko Ivanov
2022-01-13 16:22 ` [pve-devel] applied: " Thomas Lamprecht
2021-12-20 18:01 ` [pve-devel] [PATCH http-server/manager/pmg-api/docs 0/10] expose more TLS knobs Stoiko Ivanov
2022-01-13 12:36 ` [pve-devel] partially-applied-series: " Thomas Lamprecht
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211220185729.14549a90@rosa.proxmox.com \
--to=s.ivanov@proxmox.com \
--cc=f.gruenbichler@proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox