[pbs-devel] [PATCH proxmox-websocket-tunnel 2/2] use proxmox-http's openssl callback

Dominik Csapak d.csapak at proxmox.com
Wed May 21 10:45:23 CEST 2025


no functional change intended, since the callback there should implement
the same behavior.

With this, we can drop the dependency on itertools.

Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
 Cargo.toml  |  3 +--
 src/main.rs | 66 ++++++++++++++++++++++-------------------------------
 2 files changed, 28 insertions(+), 41 deletions(-)

diff --git a/Cargo.toml b/Cargo.toml
index 008bf4c..0f8f375 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -15,7 +15,6 @@ futures = "0.3"
 futures-util = "0.3"
 hex = "0.4"
 hyper = "0.14"
-itertools = "0.10"
 openssl = "0.10"
 percent-encoding = "2"
 serde = { version = "1.0", features = ["derive"] }
@@ -24,5 +23,5 @@ tokio = { version = "1", features = ["io-std", "io-util", "macros", "rt-multi-th
 tokio-stream = { version = "0.1", features = ["io-util"] }
 tokio-util = "0.7"
 
-proxmox-http = { version = "0.9", features = ["websocket", "client"] }
+proxmox-http = { version = "0.9", features = ["websocket", "client", "tls"] }
 proxmox-sys = "0.6"
diff --git a/src/main.rs b/src/main.rs
index 53ac48d..0ab2943 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -24,6 +24,7 @@ use tokio_stream::StreamExt;
 
 use proxmox_http::client::HttpsConnector;
 use proxmox_http::websocket::{OpCode, WebSocket, WebSocketReader, WebSocketWriter};
+use proxmox_http::SslVerifyError;
 
 #[derive(Serialize, Deserialize, Debug)]
 #[serde(rename_all = "kebab-case")]
@@ -140,48 +141,35 @@ impl CtrlTunnel {
         }
 
         let mut ssl_connector_builder = SslConnector::builder(SslMethod::tls())?;
-        if let Some(expected) = fingerprint {
+        if fingerprint.is_some() {
             ssl_connector_builder.set_verify_callback(
                 openssl::ssl::SslVerifyMode::PEER,
-                move |_valid, ctx| {
-                    let cert = match ctx.current_cert() {
-                        Some(cert) => cert,
-                        None => {
-                            // should not happen
-                            eprintln!("SSL context lacks current certificate.");
-                            return false;
-                        }
-                    };
-
-                    // skip CA certificates, we only care about the peer cert
-                    let depth = ctx.error_depth();
-                    if depth != 0 {
-                        return true;
-                    }
-
-                    use itertools::Itertools;
-                    let fp = match cert.digest(openssl::hash::MessageDigest::sha256()) {
-                        Ok(fp) => fp,
-                        Err(err) => {
-                            // should not happen
-                            eprintln!("failed to calculate certificate FP - {}", err);
-                            return false;
+                move |valid, ctx| match proxmox_http::openssl_verify_callback(
+                    valid,
+                    ctx,
+                    fingerprint.as_deref(),
+                ) {
+                    Ok(()) => true,
+                    Err(err) => {
+                        match err {
+                            SslVerifyError::NoCertificate => {
+                                eprintln!("SSL context lacks current certificate");
+                            }
+                            SslVerifyError::InvalidFingerprint(err) => {
+                                eprintln!("failed to calculate certificate FP - {err}")
+                            }
+                            SslVerifyError::FingerprintMismatch {
+                                fingerprint,
+                                expected,
+                            } => {
+                                eprintln!(
+                                    "certificate fingerprint does not match expected fingerprint!"
+                                );
+                                eprintln!("expected:    {expected}");
+                                eprintln!("encountered: {fingerprint}");
+                            }
+                            SslVerifyError::UntrustedCertificate { .. } => {}
                         }
-                    };
-                    let fp_string = hex::encode(fp);
-                    let fp_string = fp_string
-                        .as_bytes()
-                        .chunks(2)
-                        .map(|v| unsafe { std::str::from_utf8_unchecked(v) })
-                        .join(":");
-
-                    let expected = expected.to_lowercase();
-                    if expected == fp_string {
-                        true
-                    } else {
-                        eprintln!("certificate fingerprint does not match expected fingerprint!");
-                        eprintln!("expected:    {}", expected);
-                        eprintln!("encountered: {}", fp_string);
                         false
                     }
                 },
-- 
2.39.5





More information about the pbs-devel mailing list