[pbs-devel] [PATCH proxmox-backup v2 0/3] close #3612: allow config of SSL cipher-suites for proxy
Hannes Laimer
h.laimer at proxmox.com
Wed Jan 5 14:53:11 CET 2022
Am 05.01.22 um 10:27 schrieb Dietmar Maurer:
>
>> But this does not throw an error:
>>
>> # proxmox-backup-manager node update --cipher-suites-tls2 asdasd,BBB,BBB.XZY,ECDHE-RSA-AES256-SHA
>>
>> Seems ssl simply ignores all unknown ciphers. The only error is when the list contains no known cipher.
>
> I wonder if we can hardcode the list of available values and parse it correctly? Allowed values would be:
>
> # openssl ciphers -tls1_2
> # openssl ciphers -tls1_3
Yes, but just hardcoding the list probably wont be enough since the
string is allowed to contain !,+,- and some other things[1]. This check
was mostly thought to check if the proxy would still start with the
given chiphers, not if the given string was valid. Also I'm not sure if
we should be more strict than openssl[2].
[1] https://www.openssl.org/docs/man1.1.1/man1/ciphers.html
[2]
https://github.com/openssl/openssl/blob/master/doc/man3/SSL_CTX_set_cipher_list.pod#notes
More information about the pbs-devel
mailing list