[pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy

Hannes Laimer h.laimer at proxmox.com
Wed Jan 5 14:53:11 CET 2022



Am 05.01.22 um 10:27 schrieb Dietmar Maurer:
> 
>> But this does not throw an error:
>>
>> # proxmox-backup-manager node update --cipher-suites-tls2 asdasd,BBB,BBB.XZY,ECDHE-RSA-AES256-SHA
>>
>> Seems ssl simply ignores all unknown ciphers. The only error is when the list contains no known cipher.
> 
> I wonder if we can hardcode the list of available values and parse it correctly? Allowed values would be:
> 
> # openssl ciphers -tls1_2
> # openssl ciphers -tls1_3

Yes, but just hardcoding the list probably wont be enough since the 
string is allowed to contain !,+,- and some other things[1]. This check 
was mostly thought to check if the proxy would still start with the 
given chiphers, not if the given string was valid. Also I'm not sure if 
we should be more strict than openssl[2].

[1] https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
[2] 
https://github.com/openssl/openssl/blob/master/doc/man3/SSL_CTX_set_cipher_list.pod#notes





More information about the pbs-devel mailing list