[pbs-devel] [PATCH v1 proxmox 0/3] Fix #5105: Overhaul TLS Handshake Checking Logic

Max Carrara m.carrara at proxmox.com
Mon Jul 8 07:49:33 CEST 2024


Fix #5105: Overhaul TLS Handshake Checking Logic
================================================

This series fixes bug #5105 [1] by overhauling the TLS handshake
checking logic, which is performed when using a connection acceptor
variant with optional TLS.

In the case of PBS (the only place where this is used, to my knowledge),
any requests made over plain HTTP are redirected to the same host, but
clients are instructed to use HTTPS instead.

The TLS handshake checking logic determines whether the client uses HTTP
or HTTPS by peeking into the stream buffer -- if the first 5 received
bytes look like a TLS handshake fragment, the connection is passed on to
OpenSSL before being accepted. Otherwise the connection is assumed to be
unencrypted, i.e. plain HTTP.

However, this logic contains two errors:

  1. The timeout duration is too short - one second is too little
  2. When a timeout occurs, the connection is assumed to be unencrypted
     (and thus plain HTTP)

The patches 01 and 02 are mainly done in preparation for patch 03 (which
contains the actual fix), improving the overall quality of the code and
including the peer's address in error logs.

Please see the individual patches for more information.

Special thanks go to Stefan Hanreich whose advice helped identifying
many individual puzzle pieces comprising this issue.

References
----------

[1]: https://bugzilla.proxmox.com/show_bug.cgi?id=5105

Summary of Changes
------------------

Max Carrara (3):
  rest-server: connection: clean up accept data flow
  rest-server: connection: log peer address on error
  fix #5105: rest-server: connection: overhaul TLS handshake check logic

 proxmox-rest-server/src/connection.rs | 165 +++++++++++++-------------
 1 file changed, 85 insertions(+), 80 deletions(-)

-- 
2.39.2





More information about the pbs-devel mailing list