[pve-devel] applied: [PATCH http-server 1/2] Add configurable 'honor_cipher_order'

Thomas Lamprecht t.lamprecht at proxmox.com
Tue Feb 19 17:30:04 CET 2019


On 2/15/19 12:35 PM, Stoiko Ivanov wrote:
> Needed to fix #2069.
> 
> Prefering the ciphers set in the server, instead of relying on the offer of the
> client is considered good practice in TLS1.[012] (see e.g. [0]).
> 
> [0] https://cipherli.st/
> 
> Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
> ---
>  PVE/APIServer/AnyEvent.pm | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/PVE/APIServer/AnyEvent.pm b/PVE/APIServer/AnyEvent.pm
> index 14e46fa..3892136 100755
> --- a/PVE/APIServer/AnyEvent.pm
> +++ b/PVE/APIServer/AnyEvent.pm
> @@ -1644,8 +1644,13 @@ sub new {
>      $self->{end_cond} = AnyEvent->condvar;
>  
>      if ($self->{ssl}) {
> +	my $tls_ctx_flags = &Net::SSLeay::OP_NO_COMPRESSION | &Net::SSLeay::OP_SINGLE_ECDH_USE | &Net::SSLeay::OP_SINGLE_DH_USE;
> +	if ( delete $self->{ssl}->{honor_cipher_order} ) {
> +	    $tls_ctx_flags |= &Net::SSLeay::OP_CIPHER_SERVER_PREFERENCE;
> +	}
> +
>  	$self->{tls_ctx} = AnyEvent::TLS->new(%{$self->{ssl}});
> -	Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, &Net::SSLeay::OP_NO_COMPRESSION | &Net::SSLeay::OP_SINGLE_ECDH_USE | &Net::SSLeay::OP_SINGLE_DH_USE);
> +	Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, $tls_ctx_flags);
>      }
>  
>      if ($self->{spiceproxy}) {
> 

applied, thanks. Maybe we should default this to one in a followup?
I do not see much regression potential here.



More information about the pve-devel mailing list