[pve-devel] [PATCH manager 2/3] pveproxy: add configurable HONOR_CIPHER_ORDER

Thomas Lamprecht t.lamprecht at proxmox.com
Tue Feb 19 17:32:19 CET 2019 

On 2/15/19 12:36 PM, Stoiko Ivanov wrote:
> fix #2069 (the report includes rationale and also information on test-cases).
> 
> Tested by:
> * running testssl.sh [0]
> * enabling this setting (our default cipherlist prefers AES256,
>   chromium on stretch AES128)
> 
> Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
> ---
>  PVE/API2Tools.pm        | 4 ++++
>  PVE/Service/pveproxy.pm | 1 +
>  2 files changed, 5 insertions(+)
> 
> diff --git a/PVE/API2Tools.pm b/PVE/API2Tools.pm
> index 7527b42b..e275c558 100644
> --- a/PVE/API2Tools.pm
> +++ b/PVE/API2Tools.pm
> @@ -222,6 +222,7 @@ sub read_proxy_config {
>      $shcmd .= 'echo \"POLICY:\$POLICY\";';
>      $shcmd .= 'echo \"CIPHERS:\$CIPHERS\";';
>      $shcmd .= 'echo \"DHPARAMS:\$DHPARAMS\";';
> +    $shcmd .= 'echo \"HONOR_CIPHER_ORDER:\$HONOR_CIPHER_ORDER\";';
>  
>      my $data = -f $conffile ? `bash -c "$shcmd"` : '';
>  
> @@ -244,6 +245,9 @@ sub read_proxy_config {
>  	    $res->{$key} = $value;
>  	} elsif ($key eq 'DHPARAMS') {
>  	    $res->{$key} = $value;
> +	} elsif ($key eq 'HONOR_CIPHER_ORDER') {
> +	    die "unknown value '$value'\n" if $value !~ m/^(0|1)$/;

you add this error message here newly but change this in 3/3, maybe add the
"correct" one here already?

> +	    $res->{$key} = $value;
>  	} else {
>  	    # silently skip everythin else?
>  	}
> diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
> index ee6c28d4..e984cb8c 100755
> --- a/PVE/Service/pveproxy.pm
> +++ b/PVE/Service/pveproxy.pm
> @@ -109,6 +109,7 @@ sub init {
>  	    cipher_list => $proxyconf->{CIPHERS} || 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256',
>  	    key_file => '/etc/pve/local/pve-ssl.key',
>  	    cert_file => '/etc/pve/local/pve-ssl.pem',
> +	    honor_cipher_order => $proxyconf->{HONOR_CIPHER_ORDER},
>  	},
>  	# Note: there is no authentication for those pages and dirs!
>  	pages => {
>

More information about the pve-devel mailing list