[pbs-devel] [PATCH proxmox-backup v2 1/3] config: add cipher-suites to NodeConfig

Hannes Laimer h.laimer at proxmox.com
Tue Jan 4 12:48:24 CET 2022


for TLS 1.3 and for TLS <= 1.2

Signed-off-by: Hannes Laimer <h.laimer at proxmox.com>
---
 src/config/node.rs | 24 ++++++++++++++++++++++++
 1 file changed, 24 insertions(+)

diff --git a/src/config/node.rs b/src/config/node.rs
index 4f2ab029..6a6038e6 100644
--- a/src/config/node.rs
+++ b/src/config/node.rs
@@ -1,5 +1,6 @@
 use std::collections::HashSet;
 
+use openssl::ssl::{SslAcceptor, SslMethod};
 use anyhow::{bail, Error};
 use serde::{Deserialize, Serialize};
 
@@ -91,6 +92,14 @@ pub struct AcmeConfig {
             schema: EMAIL_SCHEMA,
             optional: true,
         },
+        "cipher-suites-tls3": {
+            optional: true,
+            type: String,
+        },
+        "cipher-suites-tls2": {
+            optional: true,
+            type: String,
+        },
     },
 )]
 #[derive(Deserialize, Serialize, Updater)]
@@ -121,6 +130,14 @@ pub struct NodeConfig {
     
     #[serde(skip_serializing_if = "Option::is_none")]
     pub email_from: Option<String>,
+
+    /// List of SSL ciphers for tls 1.3 that will be used by the proxy. (Proxy has to be restarted for changes to take effect)
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub cipher_suites_tls3: Option<String>,
+    
+    /// List of SSL ciphers for tls <= 1.2 that will be used by the proxy. (Proxy has to be restarted for changes to take effect)
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub cipher_suites_tls2: Option<String>,
 }
 
 impl NodeConfig {
@@ -172,6 +189,13 @@ impl NodeConfig {
                 bail!("duplicate domain '{}' in ACME config", domain.domain);
             }
         }
+        let mut dummy_acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls()).unwrap();
+        if let Some(cipher_suites) = self.cipher_suites_tls3.as_deref() {
+            dummy_acceptor.set_ciphersuites(cipher_suites)?;
+        }
+        if let Some(cipher_suites) = self.cipher_suites_tls2.as_deref() {
+            dummy_acceptor.set_cipher_list(cipher_suites)?;
+        }
 
         Ok(())
     }
-- 
2.30.2






More information about the pbs-devel mailing list