Re: [PATCH proxmox-websocket-tunnel v3 6/6] use proxmox-http's openssl callback

public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed

From: "Shannon Sterz" <s.sterz@proxmox.com>
To: "Dominik Csapak" <d.csapak@proxmox.com>,
	<pve-devel@lists.proxmox.com>, <pbs-devel@lists.proxmox.com>
Subject: Re: [PATCH proxmox-websocket-tunnel v3 6/6] use proxmox-http's openssl callback
Date: Thu, 25 Jun 2026 13:19:54 +0200	[thread overview]
Message-ID: <DJI38TPANLYK.3QIY9NCACS26F@proxmox.com> (raw)
In-Reply-To: <20260617085949.1528300-7-d.csapak@proxmox.com>

On Wed Jun 17, 2026 at 10:59 AM CEST, Dominik Csapak wrote:
> no functional change intended, since the callback there should implement
> the same behavior.
>
> With this, we can drop the dependency on itertools.
>
> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>

-->8 snip 8<--

> @@ -142,48 +142,35 @@ impl CtrlTunnel {
>          }
>
>          let mut ssl_connector_builder = SslConnector::builder(SslMethod::tls())?;
> -        if let Some(expected) = fingerprint {
> +        if fingerprint.is_some() {
>              ssl_connector_builder.set_verify_callback(
>                  openssl::ssl::SslVerifyMode::PEER,
> -                move |_valid, ctx| {
> -                    let cert = match ctx.current_cert() {
> -                        Some(cert) => cert,
> -                        None => {
> -                            // should not happen
> -                            eprintln!("SSL context lacks current certificate.");
> -                            return false;
> -                        }
> -                    };
> -
> -                    // skip CA certificates, we only care about the peer cert
> -                    let depth = ctx.error_depth();
> -                    if depth != 0 {
> -                        return true;
> -                    }
> -
> -                    use itertools::Itertools;
> -                    let fp = match cert.digest(openssl::hash::MessageDigest::sha256()) {
> -                        Ok(fp) => fp,
> -                        Err(err) => {
> -                            // should not happen
> -                            eprintln!("failed to calculate certificate FP - {}", err);
> -                            return false;
> +                move |valid, ctx| match proxmox_http::openssl_verify_callback(
> +                    valid,
> +                    ctx,
> +                    fingerprint.as_deref(),
> +                ) {
> +                    Ok(()) => true,
> +                    Err(err) => {
> +                        match err {
> +                            SslVerifyError::NoCertificate => {
> +                                eprintln!("SSL context lacks current certificate");

same nit here as in 4/6

-->8 snip 8<--

next prev parent reply	other threads:[~2026-06-25 11:20 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-17  8:59 [PATCH proxmox{,-backup,-websocket-tunnel} v3 0/6] unify openssl callback logic Dominik Csapak
2026-06-17  8:59 ` [PATCH proxmox v3 1/6] http: factor out openssl verification callback Dominik Csapak
2026-06-25 11:19   ` Shannon Sterz
2026-06-17  8:59 ` [PATCH proxmox v3 2/6] http: tls: use legacy behavior when PROXMOX_NEW_TLS_CHECK is not set Dominik Csapak
2026-06-25 11:19   ` Shannon Sterz
2026-06-17  8:59 ` [PATCH proxmox v3 3/6] client: use proxmox-http's openssl verification callback Dominik Csapak
2026-06-25 11:19   ` Shannon Sterz
2026-06-17  8:59 ` [PATCH proxmox-backup v3 4/6] pbs-client: use proxmox-https openssl callback Dominik Csapak
2026-06-25 11:19   ` Shannon Sterz
2026-06-17  8:59 ` [PATCH proxmox-backup v3 5/6] pbs-client: honor already verified fingerprint Dominik Csapak
2026-06-17  8:59 ` [PATCH proxmox-websocket-tunnel v3 6/6] use proxmox-http's openssl callback Dominik Csapak
2026-06-25 11:19   ` Shannon Sterz [this message]
2026-06-25 11:19 ` [PATCH proxmox{,-backup,-websocket-tunnel} v3 0/6] unify openssl callback logic Shannon Sterz
2026-06-25 11:22   ` [PATCH proxmox 1/3] http: tls: move PROXMOX_NEW_TLS_CHECK env var name into constant Shannon Sterz
2026-06-25 11:22     ` [PATCH proxmox 2/3] http: tls: implement `PartialEq` for `SslVerifyError` Shannon Sterz
2026-06-25 11:22     ` [PATCH proxmox 3/3] http: tls: add integration tests for openssl verify callbacks Shannon Sterz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DJI38TPANLYK.3QIY9NCACS26F@proxmox.com \
    --to=s.sterz@proxmox.com \
    --cc=d.csapak@proxmox.com \
    --cc=pbs-devel@lists.proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox

Service provided by Proxmox Server Solutions GmbH | Privacy | Legal