From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id E84D4859CE for ; Mon, 20 Dec 2021 19:00:58 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id DEE8221003 for ; Mon, 20 Dec 2021 19:00:28 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS id 978A120FF6 for ; Mon, 20 Dec 2021 19:00:27 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 6DC9244F36 for ; Mon, 20 Dec 2021 19:00:27 +0100 (CET) Date: Mon, 20 Dec 2021 19:00:26 +0100 From: Stoiko Ivanov To: Fabian =?UTF-8?B?R3LDvG5iaWNobGVy?= Cc: Proxmox VE development discussion Message-ID: <20211220190026.516f587b@rosa.proxmox.com> In-Reply-To: <20211217125733.548305-8-f.gruenbichler@proxmox.com> References: <20211217125733.548305-1-f.gruenbichler@proxmox.com> <20211217125733.548305-8-f.gruenbichler@proxmox.com> X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable X-SPAM-LEVEL: Spam detection results: 0 AWL 0.273 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH docs] pveproxy: document newly added options X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Dec 2021 18:00:58 -0000 tiny nit inline: On Fri, 17 Dec 2021 13:57:33 +0100 Fabian Gr=C3=BCnbichler wrote: > Signed-off-by: Fabian Gr=C3=BCnbichler > --- > pveproxy.adoc | 30 +++++++++++++++++++++++++++++- > 1 file changed, 29 insertions(+), 1 deletion(-) >=20 > diff --git a/pveproxy.adoc b/pveproxy.adoc > index 4696d66..8fc6195 100644 > --- a/pveproxy.adoc > +++ b/pveproxy.adoc > @@ -117,9 +117,11 @@ effect. > SSL Cipher Suite > ---------------- > =20 > -You can define the cipher list in `/etc/default/pveproxy`, for example > +You can define the cipher list in `/etc/default/pveproxy` via the `CIPHE= RS` > +(TLS <=3D 1.2) and `CIPHERSUITES` (TLS >=3D 1.3) keys. For example > =20 > CIPHERS=3D"ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:EC= DHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-= GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-= AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" > + CIPHERSUITES=3D"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS= _AES_128_GCM_SHA256" > =20 > Above is the default. See the ciphers(1) man page from the openssl > package for a list of all available options. > @@ -131,6 +133,25 @@ both client and `pveproxy`): > HONOR_CIPHER_ORDER=3D0 > =20 > =20 > +Supported TLS versions > +---------------------- > + > +The insecure SSL versions 2 and 3 are unconditionally disabled for pvepr= oxy. > +TLS versions below 1.1 are disabled by default on recent OpenSSL version= s, > +which is honored by `pveproxy` (see `/etc/ssl/openssl.cnf`). > + > +To disable TLS version 1.2 or 1.3, set the following in `/etc/default/pv= eproxy`: > + > + DISABLE_TLS_1_2=3D1 > + > +or, respectively: > + > + DISABLE_TLS_1_3=3D1 > + > +NOTE: Unless there is a specific reason to do so, it is not recommended = to > +manually adjust the supported TLS versions. > + > + > Diffie-Hellman Parameters > ------------------------- > =20 > @@ -157,6 +178,13 @@ pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and > `/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`. > The private key may not use a passphrase. > =20 > +It is possible to override the location of the certificate private key by maybe add a `(/etc/pve/local/pveproxy-ssl.key)` here to avoid confusion afaicu - overriding works only for pveproxy-ssl.pem > +setting `TLS_KEY_FILE` in `/etc/default/pveproxy`, for example: > + > + TLS_KEY_FILE=3D"/secrets/pveproxy.key" > + > +NOTE: The included ACME integration does not honor this setting. > + > See the Host System Administration chapter of the documentation for deta= ils. > =20 > COMPRESSION