public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: "Shannon Sterz" <s.sterz@proxmox.com>
To: "Dominik Csapak" <d.csapak@proxmox.com>,
	<pve-devel@lists.proxmox.com>, <pbs-devel@lists.proxmox.com>
Subject: Re: [PATCH proxmox-backup v4 6/8] pbs-client: use proxmox-https openssl callback
Date: Wed, 01 Jul 2026 15:36:07 +0200	[thread overview]
Message-ID: <DJN9WE36CU89.38R8AVOTAONOW@proxmox.com> (raw)
In-Reply-To: <20260701103120.1593265-7-d.csapak@proxmox.com>

On Wed Jul 1, 2026 at 12:30 PM CEST, Dominik Csapak wrote:
> instead of implementing it here. This changes the behavior when giving a
> fingerprint explicitly when the certificate chain is trusted by openssl.
> Previously this would be accepted due to openssls checks, regardless if
> the given fingerprint would match or not.
>
> With this patch, a given fingerprint has higher priority than openssls
> validation.
>
> Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
> ---
>  Cargo.toml                    |   2 +-
>  pbs-client/src/http_client.rs | 165 ++++++++++++++++------------------
>  2 files changed, 76 insertions(+), 91 deletions(-)
>
> diff --git a/Cargo.toml b/Cargo.toml
> index a625370cf..9530e1ccb 100644
> --- a/Cargo.toml
> +++ b/Cargo.toml
> @@ -64,7 +64,7 @@ proxmox-config-digest = "1"
>  proxmox-daemon = "1"
>  proxmox-fuse = "3"
>  proxmox-docgen = "1"
> -proxmox-http = { version = "1.0.2", features = [ "client", "http-helpers", "api-types", "websocket" ] } # see below
> +proxmox-http = { version = "1.0.2", features = [ "client", "http-helpers", "api-types", "websocket", "tls" ] } # see below
>  proxmox-human-byte = "1"
>  proxmox-io = "1.0.1" # tools and client use "tokio" feature
>  proxmox-lang = "1.1"
> diff --git a/pbs-client/src/http_client.rs b/pbs-client/src/http_client.rs

-->8 snip 8<--

> @@ -425,30 +431,47 @@ impl HttpClient {
>              let interactive = options.interactive;
>              let fingerprint_cache = options.fingerprint_cache;
>              let prefix = options.prefix.clone();
> -            let trust_openssl_valid = Arc::new(Mutex::new(true));
>              ssl_connector_builder.set_verify_callback(
>                  openssl::ssl::SslVerifyMode::PEER,
> -                move |valid, ctx| match Self::verify_callback(
> +                move |valid, ctx| match openssl_verify_callback(
>                      valid,
>                      ctx,
> -                    expected_fingerprint.as_ref(),
> -                    interactive,
> -                    Arc::clone(&trust_openssl_valid),
> +                    expected_fingerprint.clone(),
>                  ) {
> -                    Ok(None) => true,
> -                    Ok(Some(fingerprint)) => {
> -                        if fingerprint_cache {
> -                            if let Some(ref prefix) = prefix {
> -                                if let Err(err) = store_fingerprint(prefix, &server, &fingerprint) {
> -                                    error!("{}", err);
> -                                }
> -                            }
> +                    Ok(()) => {
> +                        if let Some(fp) = &expected_fingerprint {
> +                            *verified_fingerprint.lock().unwrap() = Some(fp.to_string());
>                          }
> -                        *verified_fingerprint.lock().unwrap() = Some(fingerprint);
>                          true
> -                    }
> +                    },
>                      Err(err) => {
> -                        error!("certificate validation failed - {}", err);
> +                        match err {
> +                            SslVerifyError::NoCertificate => error!(
> +                                "certificate validation failed - context lacks current certificate"
> +                            ),

nit: i still think this could be misinterpreted and lead users to add
certificates to the trust store. i think this could be made clearer with
something like "certificate validation failed - could not get a
certificate necessary for verifiction". though, this error case isn't
likely to happen in real ussage anyway from what i can tell.

-->8 snip 8<--




  reply	other threads:[~2026-07-01 13:36 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-01 10:30 [PATCH proxmox{,-backup,-websocket-tunnel} v4 0/8] unify openssl callback logic Dominik Csapak
2026-07-01 10:30 ` [PATCH proxmox v4 1/8] http: factor out openssl verification callback Dominik Csapak
2026-07-01 10:30 ` [PATCH proxmox v4 2/8] http: tls: use legacy behavior when PROXMOX_OLD_TLS_CHECK is set to "1" Dominik Csapak
2026-07-01 13:36   ` Shannon Sterz
2026-07-01 10:30 ` [PATCH proxmox v4 3/8] http: tls: add warning if old check behavior is enabled and triggered Dominik Csapak
2026-07-01 10:30 ` [PATCH proxmox v4 4/8] http: tls: add integration tests for openssl verify callbacks Dominik Csapak
2026-07-01 10:30 ` [PATCH proxmox v4 5/8] client: use proxmox-http's openssl verification callback Dominik Csapak
2026-07-01 10:30 ` [PATCH proxmox-backup v4 6/8] pbs-client: use proxmox-https openssl callback Dominik Csapak
2026-07-01 13:36   ` Shannon Sterz [this message]
2026-07-01 10:30 ` [PATCH proxmox-backup v4 7/8] pbs-client: honor already verified fingerprint Dominik Csapak
2026-07-01 10:30 ` [PATCH proxmox-websocket-tunnel v4 8/8] use proxmox-http's openssl callback Dominik Csapak
2026-07-01 13:35   ` Shannon Sterz
2026-07-01 13:35 ` [PATCH proxmox{,-backup,-websocket-tunnel} v4 0/8] unify openssl callback logic Shannon Sterz

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=DJN9WE36CU89.38R8AVOTAONOW@proxmox.com \
    --to=s.sterz@proxmox.com \
    --cc=d.csapak@proxmox.com \
    --cc=pbs-devel@lists.proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal