[pbs-devel] [PATCH v2] rest-server: check permissions on proxy.key and proxy.pem files

Gabriel Goller g.goller at proxmox.com
Thu Aug 29 14:10:47 CEST 2024 

To avoid openssl's unhelpful error messages when the proxy.key or
proxy.pem files have the wrong permissions, we open the files. To load
the private key, we can simply read from the file and pass it to the
`set_private_key` openssl function. Sadly such a function does not exist
for loading certificate chains, so we have to open and close the file
before calling the `set_certificate_chain_file` fn.

Motivation: https://forum.proxmox.com/threads/proxmox-backup-tailscale-proxmox-backup-proxy-service-wont-boot.153204

Signed-off-by: Gabriel Goller <g.goller at proxmox.com>
---

v2, thanks @Wolfgang:
 - move check from proxmox-backup-server to proxmox-rest-server
 - check permissions by opening files

 proxmox-rest-server/src/connection.rs | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/proxmox-rest-server/src/connection.rs b/proxmox-rest-server/src/connection.rs
index fbdfe96cdfdb..f985d25f7e63 100644
--- a/proxmox-rest-server/src/connection.rs
+++ b/proxmox-rest-server/src/connection.rs
@@ -12,19 +12,21 @@ use std::pin::{pin, Pin};
 use std::sync::{Arc, Mutex};
 use std::time::Duration;
 
-use anyhow::{format_err, Context as _, Error};
+use anyhow::{format_err, Context, Error};
 use futures::FutureExt;
 use hyper::server::accept;
 use openssl::ec::{EcGroup, EcKey};
 use openssl::nid::Nid;
 use openssl::pkey::{PKey, Private};
-use openssl::ssl::{SslAcceptor, SslFiletype, SslMethod};
+use openssl::ssl::{SslAcceptor, SslMethod};
 use openssl::x509::X509;
 use tokio::net::{TcpListener, TcpStream};
 use tokio::sync::mpsc;
 use tokio_openssl::SslStream;
 use tokio_stream::wrappers::ReceiverStream;
 
+use proxmox_sys::fs::file_read_string;
+
 #[cfg(feature = "rate-limited-stream")]
 use proxmox_http::{RateLimitedStream, ShareableRateLimit};
 
@@ -88,9 +90,17 @@ impl TlsAcceptorBuilder {
                     .context("failed to set tls acceptor certificate")?;
             }
             Some(Tls::FilesPem(key, cert)) => {
+                let key_content =
+                    file_read_string(key).context("Failed to read from private key file")?;
                 acceptor
-                    .set_private_key_file(key, SslFiletype::PEM)
+                    .set_private_key(PKey::private_key_from_pem(key_content.as_bytes())?.as_ref())
                     .context("failed to set tls acceptor private key file")?;
+
+                {
+                    // Check the permissions by opening the file
+                    let _cert_fd = std::fs::File::open(&cert)
+                        .context(format!("Failed to open certificate at {:?}", cert))?;
+                }
                 acceptor
                     .set_certificate_chain_file(cert)
                     .context("failed to set tls acceptor certificate chain file")?;
-- 
2.39.2

More information about the pbs-devel mailing list