[pve-devel] [PATCH manager 0/3] Make compression and honor_server_cipher_order configurable for pveproxy

Stoiko Ivanov s.ivanov at proxmox.com
Fri Feb 15 12:35:58 CET 2019


This patchset fixes #2069 - requesting to let pveproxy prefer its own configured
ciphers to the ones presented by the client. This is generally considered
good practice w.r.t. TLS configurations - see e.g. [0].

While testing with testssl.sh [1] I though that it would be nice to provide
users a switch for disabling http-compression (also considered good practice
due to BREACH [2]), which was done in a separate patch (per repository).

I'd suggest to add this to pmgproxy as well (but will send the necessary
preparations separately).

[0] https://cipherli.st/
[1] https://testssl.sh/
[2] https://en.wikipedia.org/wiki/BREACH

pve-manager:
Stoiko Ivanov (3):
  fix typo in comment (ssl-config)
  pveproxy: add configurable HONOR_CIPHER_ORDER
  pveproxy: add configurable COMPRESSION

 PVE/API2Tools.pm        | 7 ++++++-
 PVE/Service/pveproxy.pm | 4 +++-
 2 files changed, 9 insertions(+), 2 deletions(-)

pve-http-server:
Stoiko Ivanov (2):
  Add configurable 'honor_cipher_order'
  Add configurable 'compression'

 PVE/APIServer/AnyEvent.pm | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

-- 
2.11.0




More information about the pve-devel mailing list