[pve-devel] [PATCH manager 0/2] TLS and DH fixes

[Fabian Grünbichler]

Previously, only TLS 1.0 was enabled for the AnyEvent Webserver used by
pveproxy. Enabling TLS 1.2 triggered a bug in Internet Explorer 11, which made
the web GUI unusable ("This Page can't be displayed" error page).

The bug seems to be caused by different handling of Bignums in Microsoft's
schannel TLS stack and OpenSSL - leading zeroes are dropped which results in
checksum mismatches between the server (AnyEvent/OpenSSL) and the client 
(IE 11/schannel).

By switching from AnyEvent's default DH group ('schmorp1539') to a different
built-in group ('skip2048'), the bug seems to be gone (this probably means
that with the new group, Bignums with leading zeros are generated never or 
rarely enough).

The first patch thus enables TLS 1.1 and 1.2, and switches the default DH group
to 'skip2048'.

The second patch makes the used DH group(s) configurable by introducing a new
option in /etc/default/pveproxy which allows loading DH parameters in PEM
format from an arbitrary path. The default introduced by patch #1 remains.

The new default TLS setup has been successfully tested using ProxMox VE 4.1 with
Chromium 47.0.2526.80 and Mozilla Iceweasel 38.5.0, Windows 7 with Internet
Explorer 11.0.9600.18613 (Update Version 11.0.27) and Windows 10 with Edge
20.10240.16384.0.

Fabian Grünbichler (2):
  Enable TLS 1.1 and 1.2, change default DH params
  Add DHPARAMS option in /etc/default/pveproxy

 PVE/API2Tools.pm        |  3 +++
 PVE/Service/pveproxy.pm | 27 +++++++++++++++++++++++----
 2 files changed, 26 insertions(+), 4 deletions(-)

-- 
2.1.4