[pbs-devel] [PATCH proxmox-backup 0/3] close #3612: allow config of SSL cipher-suites for proxy
Fabian Grünbichler
f.gruenbichler at proxmox.com
Fri Dec 17 10:50:26 CET 2021
On December 16, 2021 5:31 pm, Hannes Laimer wrote:
> Cannot be configured in the WebUI, only through proxmox-backup-manager,
> api or in the config file directly(not recommended). For changes to take
> effect the proxy has to be restarted.
>
> Since the string can be rather long and I assume most of the time the
> defaults are used, it is not in the WebUI.
there are actually two different strings (unfortunately):
cipher_list in OpenSSL parlance is for TLS <= 1.2
ciphersuites is for TLS 1.3
the format is not compatible, so we likely need to expose it as two
options (or two properties of a 'tls' option? if we also want to make
supported TLS versions configurable in the future for example that would
make sense).
PVE currently only does the former via /etc/default/pveproxy, but I'll
send patches for that soon. for PBS we should support both from the
start, and take care not to mix up the terminology (that would confuse
users that already know about this weird API split). I'd also add the
relevant TLS version info into the option description ;)
https://docs.rs/openssl/latest/openssl/ssl/struct.SslAcceptorBuilder.html#method.set_ciphersuites
https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_ciphersuites.html
>
> Hannes Laimer (3):
> config: add cipher-suites to NodeConfig
> proxy: use ssl cipher-suites from config if set
> api2: make cipher-suites updatable
>
> src/api2/node/config.rs | 4 ++++
> src/bin/proxmox-backup-proxy.rs | 6 ++++++
> src/config/node.rs | 13 +++++++++++++
> 3 files changed, 23 insertions(+)
>
> --
> 2.30.2
>
>
>
> _______________________________________________
> pbs-devel mailing list
> pbs-devel at lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
>
>
>
More information about the pbs-devel
mailing list