[pve-devel] [PATCH manager v2 0/3] Make compression and honor_server_cipher_order configurable for pveproxy
Stoiko Ivanov
s.ivanov at proxmox.com
Tue Feb 19 19:18:41 CET 2019
Changes in v2:
* Incorporated Thomas' feedback (Thanks!)
* Changed the default for HONOR_CIPHER_ORDER to true
* Added Documentation
* Dropped applied patches (pve-http-server)
The default setting for honor_cipher_order was kept in pveproxy.pm, (instead
of PVE::APIServer::Anyevent, where e.g. the compression default is), since
this is where the hardcoded defaults for the TLS-settings are.
v1:
This patchset fixes #2069 - requesting to let pveproxy prefer its own configured
ciphers to the ones presented by the client. This is generally considered
good practice w.r.t. TLS configurations - see e.g. [0].
While testing with testssl.sh [1] I though that it would be nice to provide
users a switch for disabling http-compression (also considered good practice
due to BREACH [2]), which was done in a separate patch (per repository).
I'd suggest to add this to pmgproxy as well (but will send the necessary
preparations separately).
[0] https://cipherli.st/
[1] https://testssl.sh/
[2] https://en.wikipedia.org/wiki/BREACH
pve-manager:
Stoiko Ivanov (3):
pveproxy: add configurable HONOR_CIPHER_ORDER
pveproxy: add configurable COMPRESSION
pveproxy: honor_cipher_order by default
PVE/API2Tools.pm | 7 ++++++-
PVE/Service/pveproxy.pm | 2 ++
2 files changed, 8 insertions(+), 1 deletion(-)
pve-docs:
Stoiko Ivanov (1):
pveproxy: add docs for /etc/default/pveproxy
pveproxy.adoc | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--
2.11.0
More information about the pve-devel
mailing list