[pbs-devel] [PATCH proxmox-websocket-tunnel 2/2] use proxmox-http's openssl callback
Dominik Csapak
d.csapak at proxmox.com
Wed May 21 10:45:23 CEST 2025
no functional change intended, since the callback there should implement
the same behavior.
With this, we can drop the dependency on itertools.
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
Cargo.toml | 3 +--
src/main.rs | 66 ++++++++++++++++++++++-------------------------------
2 files changed, 28 insertions(+), 41 deletions(-)
diff --git a/Cargo.toml b/Cargo.toml
index 008bf4c..0f8f375 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -15,7 +15,6 @@ futures = "0.3"
futures-util = "0.3"
hex = "0.4"
hyper = "0.14"
-itertools = "0.10"
openssl = "0.10"
percent-encoding = "2"
serde = { version = "1.0", features = ["derive"] }
@@ -24,5 +23,5 @@ tokio = { version = "1", features = ["io-std", "io-util", "macros", "rt-multi-th
tokio-stream = { version = "0.1", features = ["io-util"] }
tokio-util = "0.7"
-proxmox-http = { version = "0.9", features = ["websocket", "client"] }
+proxmox-http = { version = "0.9", features = ["websocket", "client", "tls"] }
proxmox-sys = "0.6"
diff --git a/src/main.rs b/src/main.rs
index 53ac48d..0ab2943 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -24,6 +24,7 @@ use tokio_stream::StreamExt;
use proxmox_http::client::HttpsConnector;
use proxmox_http::websocket::{OpCode, WebSocket, WebSocketReader, WebSocketWriter};
+use proxmox_http::SslVerifyError;
#[derive(Serialize, Deserialize, Debug)]
#[serde(rename_all = "kebab-case")]
@@ -140,48 +141,35 @@ impl CtrlTunnel {
}
let mut ssl_connector_builder = SslConnector::builder(SslMethod::tls())?;
- if let Some(expected) = fingerprint {
+ if fingerprint.is_some() {
ssl_connector_builder.set_verify_callback(
openssl::ssl::SslVerifyMode::PEER,
- move |_valid, ctx| {
- let cert = match ctx.current_cert() {
- Some(cert) => cert,
- None => {
- // should not happen
- eprintln!("SSL context lacks current certificate.");
- return false;
- }
- };
-
- // skip CA certificates, we only care about the peer cert
- let depth = ctx.error_depth();
- if depth != 0 {
- return true;
- }
-
- use itertools::Itertools;
- let fp = match cert.digest(openssl::hash::MessageDigest::sha256()) {
- Ok(fp) => fp,
- Err(err) => {
- // should not happen
- eprintln!("failed to calculate certificate FP - {}", err);
- return false;
+ move |valid, ctx| match proxmox_http::openssl_verify_callback(
+ valid,
+ ctx,
+ fingerprint.as_deref(),
+ ) {
+ Ok(()) => true,
+ Err(err) => {
+ match err {
+ SslVerifyError::NoCertificate => {
+ eprintln!("SSL context lacks current certificate");
+ }
+ SslVerifyError::InvalidFingerprint(err) => {
+ eprintln!("failed to calculate certificate FP - {err}")
+ }
+ SslVerifyError::FingerprintMismatch {
+ fingerprint,
+ expected,
+ } => {
+ eprintln!(
+ "certificate fingerprint does not match expected fingerprint!"
+ );
+ eprintln!("expected: {expected}");
+ eprintln!("encountered: {fingerprint}");
+ }
+ SslVerifyError::UntrustedCertificate { .. } => {}
}
- };
- let fp_string = hex::encode(fp);
- let fp_string = fp_string
- .as_bytes()
- .chunks(2)
- .map(|v| unsafe { std::str::from_utf8_unchecked(v) })
- .join(":");
-
- let expected = expected.to_lowercase();
- if expected == fp_string {
- true
- } else {
- eprintln!("certificate fingerprint does not match expected fingerprint!");
- eprintln!("expected: {}", expected);
- eprintln!("encountered: {}", fp_string);
false
}
},
--
2.39.5
More information about the pbs-devel
mailing list