[pmg-devel] [PATCH pmg-docs] pmgproxy: document newly added options
Fabian Grünbichler
f.gruenbichler at proxmox.com
Fri Dec 17 14:00:16 CET 2021
adapted from pve-docs -> pveproxy
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
pmgproxy.adoc | 24 +++++++++++++++++++++++-
1 file changed, 23 insertions(+), 1 deletion(-)
diff --git a/pmgproxy.adoc b/pmgproxy.adoc
index 6e48fba..101f269 100644
--- a/pmgproxy.adoc
+++ b/pmgproxy.adoc
@@ -125,7 +125,10 @@ should set a maintenance window to bring this change into effect.
SSL Cipher Suite
----------------
-You can define the cipher list in `/etc/default/pmgproxy`, for example:
+You can define the cipher list in `/etc/default/pmgproxy`, via the `CIPHERS`
+(TLS <= 1.2) and `CIPHERSUITES` (TLS >= 1.3) keys.
+
+For example:
CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256"
@@ -141,6 +144,25 @@ by disabling the HONOR_CIPHER_ORDER option in `/etc/default/pmgproxy`:
HONOR_CIPHER_ORDER=0
+Supported TLS versions
+----------------------
+
+The insecure SSL versions 2 and 3 are unconditionally disabled for `pmgproxy`.
+TLS versions below 1.1 are disabled by default on recent OpenSSL versions,
+which is honored by `pmgproxy` (see `/etc/ssl/openssl.cnf`).
+
+To disable TLS version 1.2, set the following in `/etc/default/pmgproxy`:
+
+ DISABLE_TLS_1_2=1
+
+or, respectively, to disable TLS version 1.3:
+
+ DISABLE_TLS_1_3=1
+
+NOTE: Unless there is a specific reason to do so, it is not recommended to
+manually adjust the supported TLS versions.
+
+
Diffie-Hellman Parameters
-------------------------
--
2.30.2
More information about the pmg-devel
mailing list