[pve-devel] [PATCH manager 1/2] Enable TLS 1.1 and 1.2, change default DH params
Fabian Grünbichler
f.gruenbichler at proxmox.com
Tue Jan 26 15:09:11 CET 2016
AnyEvent uses a built-in DH group defined as 'schmorp1539'
by default, which seems to trigger the bug in [1] for every
attempt of accessing the web GUI using IE11 and TLS1.2. By
switching to a bigger default DH group ('skip2048'), the
bug seems to be gone (or trigger sufficiently rarely).
1: http://engineering.imvu.com/2015/01/27/the-case-of-the-page-cant-be-displayed-intermittent-selenium-test/
Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---
PVE/Service/pveproxy.pm | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
index 5be7488..22812e7 100755
--- a/PVE/Service/pveproxy.pm
+++ b/PVE/Service/pveproxy.pm
@@ -108,12 +108,13 @@ sub init {
ssl => {
# Note: older versions are considered insecure, for example
# search for "Poodle"-Attac
- method => 'tlsv1',
+ method => 'any',
sslv2 => 0,
sslv3 => 0,
cipher_list => $proxyconf->{CIPHERS} || 'HIGH:MEDIUM:!aNULL:!MD5',
key_file => '/etc/pve/local/pve-ssl.key',
cert_file => '/etc/pve/local/pve-ssl.pem',
+ dh => 'skip2048',
},
# Note: there is no authentication for those pages and dirs!
pages => {
--
2.1.4
More information about the pve-devel
mailing list