[pve-devel] [PATCH manager 2/3] pveproxy: add configurable HONOR_CIPHER_ORDER
Stoiko Ivanov
s.ivanov at proxmox.com
Fri Feb 15 12:36:02 CET 2019
fix #2069 (the report includes rationale and also information on test-cases).
Tested by:
* running testssl.sh [0]
* enabling this setting (our default cipherlist prefers AES256,
chromium on stretch AES128)
Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
PVE/API2Tools.pm | 4 ++++
PVE/Service/pveproxy.pm | 1 +
2 files changed, 5 insertions(+)
diff --git a/PVE/API2Tools.pm b/PVE/API2Tools.pm
index 7527b42b..e275c558 100644
--- a/PVE/API2Tools.pm
+++ b/PVE/API2Tools.pm
@@ -222,6 +222,7 @@ sub read_proxy_config {
$shcmd .= 'echo \"POLICY:\$POLICY\";';
$shcmd .= 'echo \"CIPHERS:\$CIPHERS\";';
$shcmd .= 'echo \"DHPARAMS:\$DHPARAMS\";';
+ $shcmd .= 'echo \"HONOR_CIPHER_ORDER:\$HONOR_CIPHER_ORDER\";';
my $data = -f $conffile ? `bash -c "$shcmd"` : '';
@@ -244,6 +245,9 @@ sub read_proxy_config {
$res->{$key} = $value;
} elsif ($key eq 'DHPARAMS') {
$res->{$key} = $value;
+ } elsif ($key eq 'HONOR_CIPHER_ORDER') {
+ die "unknown value '$value'\n" if $value !~ m/^(0|1)$/;
+ $res->{$key} = $value;
} else {
# silently skip everythin else?
}
diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
index ee6c28d4..e984cb8c 100755
--- a/PVE/Service/pveproxy.pm
+++ b/PVE/Service/pveproxy.pm
@@ -109,6 +109,7 @@ sub init {
cipher_list => $proxyconf->{CIPHERS} || 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256',
key_file => '/etc/pve/local/pve-ssl.key',
cert_file => '/etc/pve/local/pve-ssl.pem',
+ honor_cipher_order => $proxyconf->{HONOR_CIPHER_ORDER},
},
# Note: there is no authentication for those pages and dirs!
pages => {
--
2.11.0
More information about the pve-devel
mailing list