[pbs-devel] [PATCH proxmox-backup v2 1/3] config: add cipher-suites to NodeConfig
Hannes Laimer
h.laimer at proxmox.com
Tue Jan 4 12:48:24 CET 2022
for TLS 1.3 and for TLS <= 1.2
Signed-off-by: Hannes Laimer <h.laimer at proxmox.com>
---
src/config/node.rs | 24 ++++++++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/src/config/node.rs b/src/config/node.rs
index 4f2ab029..6a6038e6 100644
--- a/src/config/node.rs
+++ b/src/config/node.rs
@@ -1,5 +1,6 @@
use std::collections::HashSet;
+use openssl::ssl::{SslAcceptor, SslMethod};
use anyhow::{bail, Error};
use serde::{Deserialize, Serialize};
@@ -91,6 +92,14 @@ pub struct AcmeConfig {
schema: EMAIL_SCHEMA,
optional: true,
},
+ "cipher-suites-tls3": {
+ optional: true,
+ type: String,
+ },
+ "cipher-suites-tls2": {
+ optional: true,
+ type: String,
+ },
},
)]
#[derive(Deserialize, Serialize, Updater)]
@@ -121,6 +130,14 @@ pub struct NodeConfig {
#[serde(skip_serializing_if = "Option::is_none")]
pub email_from: Option<String>,
+
+ /// List of SSL ciphers for tls 1.3 that will be used by the proxy. (Proxy has to be restarted for changes to take effect)
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub cipher_suites_tls3: Option<String>,
+
+ /// List of SSL ciphers for tls <= 1.2 that will be used by the proxy. (Proxy has to be restarted for changes to take effect)
+ #[serde(skip_serializing_if = "Option::is_none")]
+ pub cipher_suites_tls2: Option<String>,
}
impl NodeConfig {
@@ -172,6 +189,13 @@ impl NodeConfig {
bail!("duplicate domain '{}' in ACME config", domain.domain);
}
}
+ let mut dummy_acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls()).unwrap();
+ if let Some(cipher_suites) = self.cipher_suites_tls3.as_deref() {
+ dummy_acceptor.set_ciphersuites(cipher_suites)?;
+ }
+ if let Some(cipher_suites) = self.cipher_suites_tls2.as_deref() {
+ dummy_acceptor.set_cipher_list(cipher_suites)?;
+ }
Ok(())
}
--
2.30.2
More information about the pbs-devel
mailing list