From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from gate001.proxmox.com (gate001.proxmox.com [IPv6:2a0f:8001:1:32::40]) by lore.proxmox.com (Postfix) with ESMTPS id A625C1FF13E for ; Wed, 01 Jul 2026 15:36:16 +0200 (CEST) Received: from gate001.proxmox.com (localhost.localdomain [127.0.0.1]) by gate001.proxmox.com (Proxmox) with ESMTP id 9AE7121427; Wed, 01 Jul 2026 15:36:14 +0200 (CEST) Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Wed, 01 Jul 2026 15:36:09 +0200 Message-Id: Subject: Re: [PATCH proxmox v4 2/8] http: tls: use legacy behavior when PROXMOX_OLD_TLS_CHECK is set to "1" To: "Dominik Csapak" , , X-Mailer: aerc 0.20.0 References: <20260701103120.1593265-1-d.csapak@proxmox.com> <20260701103120.1593265-3-d.csapak@proxmox.com> In-Reply-To: <20260701103120.1593265-3-d.csapak@proxmox.com> From: "Shannon Sterz" X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1782912965191 X-SPAM-LEVEL: Spam detection results: 0 DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment (newer systems) SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Message-ID-Hash: T6QTBR2V7HBAKZE6BJY74F3NNTR4W6IO X-Message-ID-Hash: T6QTBR2V7HBAKZE6BJY74F3NNTR4W6IO X-MailFrom: s.sterz@proxmox.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; loop; banned-address; emergency; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header X-Mailman-Version: 3.3.10 Precedence: list List-Id: Proxmox VE development discussion List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: On Wed Jul 1, 2026 at 12:30 PM CEST, Dominik Csapak wrote: > If that environment variable is set to "1", give the openssl result > priority, and potentially ignore a given fingerprint that is not > matching. If that's the case, print a warning. nit: the "print a warning" bit was moved to the next commit, so im guessing the commit message should be cleaned up here :) > Co-developed-by: Shannon Sterz > Signed-off-by: Dominik Csapak > --- > proxmox-http/src/tls.rs | 15 +++++++++++++-- > 1 file changed, 13 insertions(+), 2 deletions(-) > > diff --git a/proxmox-http/src/tls.rs b/proxmox-http/src/tls.rs > index 5c2b1743..abdf51e9 100644 > --- a/proxmox-http/src/tls.rs > +++ b/proxmox-http/src/tls.rs > @@ -103,6 +103,8 @@ impl std::str::FromStr for Fingerprint { > } > } > > +pub const PROXMOX_OLD_TLS_CHECK_VAR: &str =3D "PROXMOX_OLD_TLS_CHECK"; > + > /// > /// Error type returned by failed [`openssl_verify_callback`]. > /// > @@ -159,15 +161,24 @@ impl PartialEq for SslVerifyError { > > /// Intended as an openssl verification callback. > /// > -/// The following things are checked: > +/// If the 'PROXMOX_OLD_TLS_CHECK' environment variable is not set to "1= ", > +/// the following things are checked: > /// > /// * If no fingerprint is given, return the openssl verification result > -/// * If a fingerprint is given get the leaf fp and check that against t= he given > +/// * If a fingerprint is given, check it against the leaf fp > +/// > +/// Otherwise, we trust the openssl result if the whole chain was truste= d > pub fn openssl_verify_callback( > openssl_valid: bool, > ctx: &mut X509StoreContextRef, > expected_fp: Option, > ) -> Result<(), SslVerifyError> { > + let old_check =3D matches!(std::env::var(PROXMOX_OLD_TLS_CHECK_VAR).= as_deref(), Ok("1")); > + > + if old_check && openssl_valid { > + return Ok(()); > + } > + > match expected_fp { > Some(expected_fp) =3D> { > let fingerprint =3D get_leaf_fp(ctx)?;