[pbs-devel] [PATCH backup] http_client: remember accepted fingerprints

Mon Apr 14 14:59:34 CEST 2025

Calling the proxmox-backup-client against a server with self-signed
certificates without having specified a fingerprint will result in
potentially multiple prompts to accept the fingerprint:

```
connected to 10.10.10.136:8007
fingerprint: b9:eb:33:0b:88:e8:e4:1a:c8:d1:f9:5a:08:84:04:9a:92:17:3f:5e:06:ae:e1:6b:91:36:24:38:0f:71:e1:5c
Are you sure you want to continue connecting? (y/n): y
fingerprint: b9:eb:33:0b:88:e8:e4:1a:c8:d1:f9:5a:08:84:04:9a:92:17:3f:5e:06:ae:e1:6b:91:36:24:38:0f:71:e1:5c
Are you sure you want to continue connecting? (y/n): y
```

We avoid this by setting the expected fingerprint to the fingerprint
returned by verify_callback.

Signed-off-by: Maximiliano Sandoval <m.sandoval at proxmox.com>
---
 pbs-client/src/http_client.rs | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/pbs-client/src/http_client.rs b/pbs-client/src/http_client.rs
index c95def07b..05cf8c530 100644
--- a/pbs-client/src/http_client.rs
+++ b/pbs-client/src/http_client.rs
@@ -404,12 +404,13 @@ impl HttpClient {
             let fingerprint_cache = options.fingerprint_cache;
             let prefix = options.prefix.clone();
             let trust_openssl_valid = Arc::new(Mutex::new(true));
+            let expected_fingerprint = Arc::new(Mutex::new(expected_fingerprint));
             ssl_connector_builder.set_verify_callback(
                 openssl::ssl::SslVerifyMode::PEER,
                 move |valid, ctx| match Self::verify_callback(
                     valid,
                     ctx,
-                    expected_fingerprint.as_ref(),
+                    Arc::clone(&expected_fingerprint),
                     interactive,
                     Arc::clone(&trust_openssl_valid),
                 ) {
@@ -422,6 +423,7 @@ impl HttpClient {
                                 error!("{}", err);
                             }
                         }
+                        *expected_fingerprint.lock().unwrap() = Some(fingerprint.clone());
                         *verified_fingerprint.lock().unwrap() = Some(fingerprint);
                         true
                     }
@@ -634,7 +636,7 @@ impl HttpClient {
     fn verify_callback(
         openssl_valid: bool,
         ctx: &mut X509StoreContextRef,
-        expected_fingerprint: Option<&String>,
+        expected_fingerprint: Arc<Mutex<Option<String>>>,
         interactive: bool,
         trust_openssl: Arc<Mutex<bool>>,
     ) -> Result<Option<String>, Error> {
@@ -669,7 +671,7 @@ impl HttpClient {
             .collect::<Vec<&str>>()
             .join(":");
 
-        if let Some(expected_fingerprint) = expected_fingerprint {
+        if let Some(expected_fingerprint) = expected_fingerprint.lock().unwrap().as_ref() {
             let expected_fingerprint = expected_fingerprint.to_lowercase();
             if expected_fingerprint == fp_string {
                 return Ok(Some(fp_string));
-- 
2.39.5



