[PATCH proxmox{,-backup,-websocket-tunnel} v3 0/6] unify openssl callback logic

[Dominik Csapak <d.csapak@proxmox.com>]

There are currently 3+ slightly different implementations of the openssl
verify callback in place. They differ in how an explicit fingerprint
would be checked:

* pbs-client: if verification was on, a valid certificate would trump a
  wrong epxlicit fingerprint
* proxmox-websocket-tunnel: if an explicit fingerprint was given, it was
  checked, regardless of the openssl result
* proxmox-client: the openssl validity had priority as in pbs-client,
  but the fingerprint was not checked against the leaf certificate, but
  agains all certificates in the chain (which would lead to false
  negatives). Note that this is currently only used in PDM
* PDM client has also a different implementation (not touched here)

This series aims to unify the general behavior, but design the interface
to be flexible enought to accomodate the different call sites needs.

I included the change of features for crates, but they have to be bumped
before hand of course and the version must be changed in Cargo.toml.

(if I should send that differently, please do tell how it should be done)

The last patch of the proxmox-http crate is to preserve backwards compatibility
with the current pbs client behavior, but can be switched to the new 'correct'
one via environment variable (which we might want to enable automatically for
the websocket-tunnel?)

Also, since it rather deep in the stack for PBS (remotes sync, etc.) and
PVE (remote migration) IMHO this is a series that should be tested very
well.

Further work could be to unify this behavior for our perl clients too,
but it seemed out of scope for this series. (notably the PVE::APIClient
and the client used in the SDN code)

I tried to implement some tests, but due to the openssl interface this
seems to be not really possible, except if we'd start a server + client
in the tests (which seems overkill). But if anyone has an idea how we
could test this code (and i mean not only it's interface, but the
openssl connection behavior), I'd be glad.

This series partially overlaps/interferes with shannons recent series:
https://lore.proxmox.com/pdm-devel/20260611120327.257523-1-s.sterz@proxmox.com/

Depending on whether this or shannons series is applied first, I'd either
send a follow-up for PDM or a new version rebased on shannons.

changes from v3:
* rebase on master
* add backwards compatibility switch via ENV variable
* add patch for pbs to check already verified fingerprints

changes from v1:
* rebase on master (drops one patch)
* drop hex dependency


proxmox:

Dominik Csapak (3):
  http: factor out openssl verification callback
  http: tls: use legacy behavior when PROXMOX_NEW_TLS_CHECK is not set
  client: use proxmox-http's openssl verification callback

 proxmox-client/Cargo.toml    |   2 +-
 proxmox-client/src/client.rs |  69 ++++++++--------------
 proxmox-http/Cargo.toml      |   7 +++
 proxmox-http/src/lib.rs      |   5 ++
 proxmox-http/src/tls.rs      | 109 +++++++++++++++++++++++++++++++++++
 5 files changed, 146 insertions(+), 46 deletions(-)
 create mode 100644 proxmox-http/src/tls.rs


proxmox-backup:

Dominik Csapak (2):
  pbs-client: use proxmox-https openssl callback
  pbs-client: honor already verified fingerprint

 Cargo.toml                    |   2 +-
 pbs-client/src/http_client.rs | 166 ++++++++++++++++------------------
 2 files changed, 78 insertions(+), 90 deletions(-)


proxmox-websocket-tunnel:

Dominik Csapak (1):
  use proxmox-http's openssl callback

 Cargo.toml  |  2 +-
 src/main.rs | 67 +++++++++++++++++++++--------------------------------
 2 files changed, 28 insertions(+), 41 deletions(-)


Summary over all repositories:
  9 files changed, 252 insertions(+), 177 deletions(-)

-- 
Generated by murpp 0.11.0