From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 618A7E474 for ; Tue, 18 Jul 2023 14:52:12 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 407CE1AFC4 for ; Tue, 18 Jul 2023 14:51:42 +0200 (CEST) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Tue, 18 Jul 2023 14:51:41 +0200 (CEST) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 8D01042BD8 for ; Tue, 18 Jul 2023 14:51:41 +0200 (CEST) From: =?UTF-8?q?Fabian=20Gr=C3=BCnbichler?= To: pve-devel@lists.proxmox.com Date: Tue, 18 Jul 2023 14:51:37 +0200 Message-Id: <20230718125137.1429941-1-f.gruenbichler@proxmox.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL 0.070 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - URIBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [anyevent.pm] Subject: [pve-devel] [PATCH http-server] fix #4859: properly configure TLSv1.3 only mode X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 18 Jul 2023 12:52:12 -0000 set_min/max_proto_version is recommended upstream nowadays, and it seems to be required for some reason if *only* TLS v1.3 is supposed to be enabled. querying via get_options gives us the union of - system-wide openssl defaults - our internal SSL defaults - flags configured by the user via /etc/default/pveproxy note that by default only 1.2 and 1.3 are enabled in the first place, so disabling either leaves a single version being set as both min and max. Signed-off-by: Fabian Grünbichler --- /etc/default/pveproxy settings and their effect tested with sslscan src/PVE/APIServer/AnyEvent.pm | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm index 1fd7a74..e5a852b 100644 --- a/src/PVE/APIServer/AnyEvent.pm +++ b/src/PVE/APIServer/AnyEvent.pm @@ -2012,6 +2012,23 @@ sub new { warn "Failed to set TLS 1.3 ciphersuites '$ciphersuites'\n" if !Net::SSLeay::CTX_set_ciphersuites($self->{tls_ctx}->{ctx}, $ciphersuites); } + + my $opts = Net::SSLeay::CTX_get_options($self->{tls_ctx}->{ctx}); + my $min_version = Net::SSLeay::TLS1_1_VERSION(); + my $max_version = Net::SSLeay::TLS1_3_VERSION(); + if ($opts & Net::SSLeay::OP_NO_TLSv1_1) { + $min_version = Net::SSLeay::TLS1_2_VERSION(); + } + if ($opts & Net::SSLeay::OP_NO_TLSv1_2) { + $min_version = Net::SSLeay::TLS1_3_VERSION(); + } + if ($opts & Net::SSLeay::OP_NO_TLSv1_3) { + die "misconfigured TLS settings - cannot disable all supported TLS versions!\n" + if $min_version == Net::SSLeay::TLS1_3_VERSION(); + $max_version = Net::SSLeay::TLS1_2_VERSION(); + } + Net::SSLeay::CTX_set_min_proto_version($self->{tls_ctx}->{ctx}, $min_version); + Net::SSLeay::CTX_set_max_proto_version($self->{tls_ctx}->{ctx}, $max_version); } if ($self->{spiceproxy}) { -- 2.39.2