From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id 2F85B910DE for ; Fri, 26 Jan 2024 16:28:29 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 10E4637BA3 for ; Fri, 26 Jan 2024 16:27:59 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Fri, 26 Jan 2024 16:27:58 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 2A275492EC for ; Fri, 26 Jan 2024 16:27:58 +0100 (CET) From: Max Carrara To: pve-devel@lists.proxmox.com Date: Fri, 26 Jan 2024 16:27:52 +0100 Message-Id: <20240126152752.638639-2-m.carrara@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20240126152752.638639-1-m.carrara@proxmox.com> References: <20240126152752.638639-1-m.carrara@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.045 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record T_SCC_BODY_TEXT_LINE -0.01 - Subject: [pve-devel] [PATCH quincy-stable-8 ceph 2/2] patch: fix `ceph dashboard` subcommand becoming unavailable on crash X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 26 Jan 2024 15:28:29 -0000 Adapt the patch that originally disabled certain TLS checks during the dashboard's startup and fixes the `ceph dashboard` subcommand becoming unavailable if the dashboard crashes during that time. This is achieved by re-implementing certain checks and also re-raising any other unforeseen exceptions that occur in regards to TLS as one of Ceph's internal exception types, which are then handled by the dashboard itself. This is akin to how these cases were handled originally. Signed-off-by: Max Carrara --- ...move-ability-to-create-and-check-TLS.patch | 53 ++++++++++++++----- 1 file changed, 40 insertions(+), 13 deletions(-) diff --git a/patches/0022-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch b/patches/0022-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch index 59c5263da..09e702c05 100644 --- a/patches/0022-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch +++ b/patches/0022-mgr-dashboard-remove-ability-to-create-and-check-TLS.patch @@ -1,6 +1,6 @@ From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Max Carrara -Date: Thu, 4 Jan 2024 17:37:50 +0100 +Date: Fri, 26 Jan 2024 14:04:47 +0100 Subject: [PATCH] mgr/dashboard: remove ability to create and check TLS key/cert pairs @@ -18,6 +18,17 @@ key/cert pair actually match, is also removed. This means that users need to ensure themselves that the correct pair is supplied - otherwise their browser will complain. +Other checks unrelated to the verification of keypairs are preserved, +such as checking for the cert's and key's existence on the filesystem. + +`ssl.SSLError`s that occur during startup are re-raised with the +additional information they contain as `ServerConfigException`s, as +the dashboard handles these in its startup loop. Other exceptions are +re-raised as well. Otherwise, the dashboard will irrecoverably crash, +which also causes the `ceph dashboard` subcommand to stop working +altogether, even if one of its sub-subcommands are unrelated to the +dashboard itself. + These changes allow the dashboard to launch with TLS enabled again. [0]: https://tracker.ceph.com/issues/63529 @@ -25,11 +36,11 @@ These changes allow the dashboard to launch with TLS enabled again. Signed-off-by: Max Carrara --- - src/pybind/mgr/dashboard/module.py | 41 ++++++++++++++++++++---------- - 1 file changed, 27 insertions(+), 14 deletions(-) + src/pybind/mgr/dashboard/module.py | 58 ++++++++++++++++++++++-------- + 1 file changed, 43 insertions(+), 15 deletions(-) diff --git a/src/pybind/mgr/dashboard/module.py b/src/pybind/mgr/dashboard/module.py -index 68725be6e35..9db55a3ee93 100644 +index 68725be6e35..c8b263d9786 100644 --- a/src/pybind/mgr/dashboard/module.py +++ b/src/pybind/mgr/dashboard/module.py @@ -23,8 +23,7 @@ if TYPE_CHECKING: @@ -42,25 +53,41 @@ index 68725be6e35..9db55a3ee93 100644 from . import mgr from .controllers import Router, json_error_page -@@ -172,11 +171,14 @@ class CherryPyConfig(object): +@@ -172,11 +171,29 @@ class CherryPyConfig(object): else: pkey_fname = self.get_localized_module_option('key_file') # type: ignore - verify_tls_files(cert_fname, pkey_fname) -- - # Create custom SSL context to disable TLS 1.0 and 1.1. - context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) -- context.load_cert_chain(cert_fname, pkey_fname) ++ if not cert_fname or not pkey_fname: ++ raise ServerConfigException('no certificate configured') ++ ++ if not os.path.isfile(cert_fname): ++ raise ServerConfigException(f"Certificate {cert_fname} does not exist") ++ ++ if not os.path.isfile(pkey_fname): ++ raise ServerConfigException(f"private key {pkey_fname} does not exist") + + try: ++ # Create custom SSL context to disable TLS 1.0 and 1.1. ++ context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) + context.load_cert_chain(cert_fname, pkey_fname) -+ except ssl.SSLError: -+ raise ServerConfigException("No certificate configured") -+ ++ except ssl.SSLError as e: ++ raise ServerConfigException( ++ "Encountered unexpected error while creating SSL context" ++ f" - library: {e.library}, reason: {e.reason}" ++ ) ++ except Exception as e: ++ raise ServerConfigException( ++ f"Encountered unexpected error while creating SSL context: {e}" ++ ) + +- # Create custom SSL context to disable TLS 1.0 and 1.1. +- context = ssl.create_default_context(ssl.Purpose.CLIENT_AUTH) +- context.load_cert_chain(cert_fname, pkey_fname) if sys.version_info >= (3, 7): if Settings.UNSAFE_TLS_v1_2: context.minimum_version = ssl.TLSVersion.TLSv1_2 -@@ -473,15 +475,26 @@ class Module(MgrModule, CherryPyConfig): +@@ -473,15 +490,26 @@ class Module(MgrModule, CherryPyConfig): @CLIWriteCommand("dashboard create-self-signed-cert") def set_mgr_created_self_signed_cert(self): -- 2.39.2