From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 546C2859BF for ; Mon, 20 Dec 2021 18:58:03 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 381AA20F8F for ; Mon, 20 Dec 2021 18:57:33 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 7A2AE20F81 for ; Mon, 20 Dec 2021 18:57:31 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 505F645169 for ; Mon, 20 Dec 2021 18:57:31 +0100 (CET) Date: Mon, 20 Dec 2021 18:57:29 +0100 From: Stoiko Ivanov To: Fabian =?UTF-8?B?R3LDvG5iaWNobGVy?= Cc: Proxmox VE development discussion Message-ID: <20211220185729.14549a90@rosa.proxmox.com> In-Reply-To: <20211217125733.548305-2-f.gruenbichler@proxmox.com> References: <20211217125733.548305-1-f.gruenbichler@proxmox.com> <20211217125733.548305-2-f.gruenbichler@proxmox.com> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.274 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH http-server 1/3] fix #3790: allow setting TLS 1.3 cipher suites X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Dec 2021 17:58:03 -0000 Thanks for tackling this! gave it a spin - works as advertised one thing I think could be improved - is that currently nothing is logged when CIPHERSUITES is set to an invalid setting. (tested with "garbage TLS_CHACHA20_POLY1305_SHA256") with TLS1.2 CIPHERS the log gets filled with: 'garbage' was not accepted as a valid cipher list by AnyEvent::TLS at /usr/= share/perl5/PVE/APIServer/AnyEvent.pm line 1913. The handling of openssl seems kinda sane[0] (fallback to the default list if the provided one is not recognized) - so I think simply a=20 syslog('warn', - might help as feedback to users (quickly tested it - Net::SSLeay::CTX_set_ciphersuites returns '0' if it did not set the list). [0] https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_ciphersuites.html On Fri, 17 Dec 2021 13:57:27 +0100 Fabian Gr=C3=BCnbichler wrote: > like the TLS <=3D 1.2 cipher list, but needs a different option since the > format and values are incompatible. AnyEvent doesn't yet handle this > directly like the cipher list, so set it directly on the context. >=20 > requires corresponding patch in pve-manager (which reads the config, and > passes relevant parts back to the API server). >=20 > Signed-off-by: Fabian Gr=C3=BCnbichler > --- > src/PVE/APIServer/AnyEvent.pm | 4 ++++ > src/PVE/APIServer/Utils.pm | 3 +++ > 2 files changed, 7 insertions(+) >=20 > diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm > index f0305b3..e31cf7d 100644 > --- a/src/PVE/APIServer/AnyEvent.pm > +++ b/src/PVE/APIServer/AnyEvent.pm > @@ -1885,6 +1885,9 @@ sub new { > honor_cipher_order =3D> 1, > }; > =20 > + # workaround until anyevent supports TLS 1.3 ciphersuites directly > + my $ciphersuites =3D delete $self->{ssl}->{ciphersuites}; > + > foreach my $k (keys %$ssl_defaults) { > $self->{ssl}->{$k} //=3D $ssl_defaults->{$k}; > } > @@ -1904,6 +1907,7 @@ sub new { > =20 > $self->{tls_ctx} =3D AnyEvent::TLS->new(%{$self->{ssl}}); > Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, $tls_ctx_flags); > + Net::SSLeay::CTX_set_ciphersuites($self->{tls_ctx}->{ctx}, $ciphersuite= s) if defined($ciphersuites); > } > =20 > if ($self->{spiceproxy}) { > diff --git a/src/PVE/APIServer/Utils.pm b/src/PVE/APIServer/Utils.pm > index 449d764..0124f44 100644 > --- a/src/PVE/APIServer/Utils.pm > +++ b/src/PVE/APIServer/Utils.pm > @@ -19,6 +19,7 @@ sub read_proxy_config { > $shcmd .=3D 'echo \"DENY_FROM:\$DENY_FROM\";'; > $shcmd .=3D 'echo \"POLICY:\$POLICY\";'; > $shcmd .=3D 'echo \"CIPHERS:\$CIPHERS\";'; > + $shcmd .=3D 'echo \"CIPHERSUITES:\$CIPHERSUITES\";'; > $shcmd .=3D 'echo \"DHPARAMS:\$DHPARAMS\";'; > $shcmd .=3D 'echo \"HONOR_CIPHER_ORDER:\$HONOR_CIPHER_ORDER\";'; > $shcmd .=3D 'echo \"COMPRESSION:\$COMPRESSION\";'; > @@ -48,6 +49,8 @@ sub read_proxy_config { > $res->{$key} =3D $value; > } elsif ($key eq 'CIPHERS') { > $res->{$key} =3D $value; > + } elsif ($key eq 'CIPHERSUITES') { > + $res->{$key} =3D $value; > } elsif ($key eq 'DHPARAMS') { > $res->{$key} =3D $value; > } elsif ($key eq 'HONOR_CIPHER_ORDER' || $key eq 'COMPRESSION') {