From: "Shannon Sterz" <s.sterz@proxmox.com>
To: "Dominik Csapak" <d.csapak@proxmox.com>,
<pve-devel@lists.proxmox.com>, <pbs-devel@lists.proxmox.com>
Subject: Re: [PATCH proxmox v3 3/6] client: use proxmox-http's openssl verification callback
Date: Thu, 25 Jun 2026 13:19:43 +0200 [thread overview]
Message-ID: <DJI38OV2PW03.DQF4USIWN9BH@proxmox.com> (raw)
In-Reply-To: <20260617085949.1528300-4-d.csapak@proxmox.com>
On Wed Jun 17, 2026 at 10:59 AM CEST, Dominik Csapak wrote:
> This changes the validation logic by always checking the fingerprint of
> the leaf certificate, ignoring the openssl verification if a fingerprint
> is configured. This now aligns with our perl implementation and the one
> for proxmox-websocket-tunnel.
>
> Before, a valid certificate chain would have precedence over an explicit
> fingerprint.
>
> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
> ---
> proxmox-client/Cargo.toml | 2 +-
> proxmox-client/src/client.rs | 69 +++++++++++++-----------------------
> 2 files changed, 25 insertions(+), 46 deletions(-)
>
> diff --git a/proxmox-client/Cargo.toml b/proxmox-client/Cargo.toml
> index 6ca33420..5cbcecd8 100644
> --- a/proxmox-client/Cargo.toml
> +++ b/proxmox-client/Cargo.toml
> @@ -25,7 +25,7 @@ openssl = { workspace = true, optional = true }
>
> proxmox-login = { workspace = true, features = [ "http" ] }
>
> -proxmox-http = { workspace = true, optional = true, features = [ "client" ] }
> +proxmox-http = { workspace = true, optional = true, features = [ "client", "tls" ] }
> hyper = { workspace = true, optional = true }
> hyper-util = { workspace = true, optional = true, features = [ "client-legacy" ] }
>
> diff --git a/proxmox-client/src/client.rs b/proxmox-client/src/client.rs
> index 26913dbb..1a1d3fa8 100644
> --- a/proxmox-client/src/client.rs
> +++ b/proxmox-client/src/client.rs
> @@ -12,6 +12,8 @@ use http_body_util::BodyExt;
> use openssl::hash::MessageDigest;
> use openssl::ssl::{SslConnector, SslMethod, SslVerifyMode};
> use openssl::x509::{self, X509};
> +use proxmox_http::SslVerifyError;
> +use proxmox_http::get_fingerprint_from_u8;
> use proxmox_login::Ticket;
> use serde::Serialize;
>
> @@ -110,10 +112,29 @@ impl Client {
> TlsOptions::Insecure => connector.set_verify(SslVerifyMode::NONE),
> TlsOptions::Fingerprint(expected_fingerprint) => {
> connector.set_verify_callback(SslVerifyMode::PEER, move |valid, chain| {
> - if valid {
> - return true;
> + let fp = get_fingerprint_from_u8(&expected_fingerprint);
> + match proxmox_http::openssl_verify_callback(valid, chain, Some(&fp)) {
> + Ok(()) => true,
> + Err(err) => {
> + match err {
> + SslVerifyError::FingerprintMismatch {
> + fingerprint,
> + expected,
> + } => {
> + log::error!("bad fingerprint: {fingerprint}");
> + log::error!("expected fingerprint: {expected}");
> + log::error!(
> + r#"If this fingerprint has worked before, it is possible that it changed on the remote
> +side. This can happen, for example, if the remote rotates it's certificate regularly.
pre-existing nit (and i think my fault, sorry), but /it's/its/
-->8 snip 8<--
next prev parent reply other threads:[~2026-06-25 11:20 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-17 8:59 [PATCH proxmox{,-backup,-websocket-tunnel} v3 0/6] unify openssl callback logic Dominik Csapak
2026-06-17 8:59 ` [PATCH proxmox v3 1/6] http: factor out openssl verification callback Dominik Csapak
2026-06-25 11:19 ` Shannon Sterz
2026-06-17 8:59 ` [PATCH proxmox v3 2/6] http: tls: use legacy behavior when PROXMOX_NEW_TLS_CHECK is not set Dominik Csapak
2026-06-25 11:19 ` Shannon Sterz
2026-06-17 8:59 ` [PATCH proxmox v3 3/6] client: use proxmox-http's openssl verification callback Dominik Csapak
2026-06-25 11:19 ` Shannon Sterz [this message]
2026-06-17 8:59 ` [PATCH proxmox-backup v3 4/6] pbs-client: use proxmox-https openssl callback Dominik Csapak
2026-06-25 11:19 ` Shannon Sterz
2026-06-17 8:59 ` [PATCH proxmox-backup v3 5/6] pbs-client: honor already verified fingerprint Dominik Csapak
2026-06-17 8:59 ` [PATCH proxmox-websocket-tunnel v3 6/6] use proxmox-http's openssl callback Dominik Csapak
2026-06-25 11:19 ` Shannon Sterz
2026-06-25 11:19 ` [PATCH proxmox{,-backup,-websocket-tunnel} v3 0/6] unify openssl callback logic Shannon Sterz
2026-06-25 11:22 ` [PATCH proxmox 1/3] http: tls: move PROXMOX_NEW_TLS_CHECK env var name into constant Shannon Sterz
2026-06-25 11:22 ` [PATCH proxmox 2/3] http: tls: implement `PartialEq` for `SslVerifyError` Shannon Sterz
2026-06-25 11:22 ` [PATCH proxmox 3/3] http: tls: add integration tests for openssl verify callbacks Shannon Sterz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=DJI38OV2PW03.DQF4USIWN9BH@proxmox.com \
--to=s.sterz@proxmox.com \
--cc=d.csapak@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
--cc=pve-devel@lists.proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox