From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 860971FF2CE for ; Mon, 8 Jul 2024 07:49:22 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 964B935445; Mon, 8 Jul 2024 07:49:40 +0200 (CEST) Mime-Version: 1.0 Date: Mon, 08 Jul 2024 07:49:06 +0200 Message-Id: To: "Proxmox VE development discussion" From: "Max Carrara" X-Mailer: aerc 0.17.0-72-g6a84f1331f1c References: <20240705162020.1203734-1-m.carrara@proxmox.com> In-Reply-To: <20240705162020.1203734-1-m.carrara@proxmox.com> X-SPAM-LEVEL: Spam detection results: 0 AWL 0.029 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pve-devel] [PATCH v1 proxmox 0/3] Fix #5105: Overhaul TLS Handshake Checking Logic X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" On Fri Jul 5, 2024 at 6:20 PM CEST, Max Carrara wrote: > Fix #5105: Overhaul TLS Handshake Checking Logic > ================================================ Oh, woops - this should've gone to pbs-devel. Will send it there; disregard this series, please. Was a bit too quick on the trigger on Friday it seems ;) > > This series fixes bug #5105 [1] by overhauling the TLS handshake > checking logic, which is performed when using a connection acceptor > variant with optional TLS. > > In the case of PBS (the only place where this is used, to my knowledge), > any requests made over plain HTTP are redirected to the same host, but > clients are instructed to use HTTPS instead. > > The TLS handshake checking logic determines whether the client uses HTTP > or HTTPS by peeking into the stream buffer -- if the first 5 received > bytes look like a TLS handshake fragment, the connection is passed on to > OpenSSL before being accepted. Otherwise the connection is assumed to be > unencrypted, i.e. plain HTTP. > > However, this logic contains two errors: > > 1. The timeout duration is too short - one second is too little > 2. When a timeout occurs, the connection is assumed to be unencrypted > (and thus plain HTTP) > > The patches 01 and 02 are mainly done in preparation for patch 03 (which > contains the actual fix), improving the overall quality of the code and > including the peer's address in error logs. > > Please see the individual patches for more information. > > Special thanks go to Stefan Hanreich whose advice helped identifying > many individual puzzle pieces comprising this issue. > > References > ---------- > > [1]: https://bugzilla.proxmox.com/show_bug.cgi?id=5105 > > Summary of Changes > ------------------ > > Max Carrara (3): > rest-server: connection: clean up accept data flow > rest-server: connection: log peer address on error > fix #5105: rest-server: connection: overhaul TLS handshake check logic > > proxmox-rest-server/src/connection.rs | 165 +++++++++++++------------- > 1 file changed, 85 insertions(+), 80 deletions(-) _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel