[pve-devel] applied: [PATCH manager v2 0/3] Make compression and honor_server_cipher_order configurable for pveproxy

Thomas Lamprecht t.lamprecht at proxmox.com
Wed Feb 20 07:18:33 CET 2019


On 2/19/19 7:18 PM, Stoiko Ivanov wrote:
> Changes in v2:
> * Incorporated Thomas' feedback (Thanks!)
> * Changed the default for HONOR_CIPHER_ORDER to true
> * Added Documentation
> * Dropped applied patches (pve-http-server)
> 
> The default setting for honor_cipher_order was kept in pveproxy.pm, (instead
> of PVE::APIServer::Anyevent, where e.g. the compression default is), since
> this is where the hardcoded defaults for the TLS-settings are.

applied, much thanks for the clean and nice patch preparation!

> 
> v1:
> This patchset fixes #2069 - requesting to let pveproxy prefer its own configured
> ciphers to the ones presented by the client. This is generally considered
> good practice w.r.t. TLS configurations - see e.g. [0].
> 
> While testing with testssl.sh [1] I though that it would be nice to provide
> users a switch for disabling http-compression (also considered good practice
> due to BREACH [2]), which was done in a separate patch (per repository).
> 
> I'd suggest to add this to pmgproxy as well (but will send the necessary
> preparations separately).
> 
> [0] https://cipherli.st/
> [1] https://testssl.sh/
> [2] https://en.wikipedia.org/wiki/BREACH
> 
> 
> pve-manager:
> Stoiko Ivanov (3):
>   pveproxy: add configurable HONOR_CIPHER_ORDER
>   pveproxy: add configurable COMPRESSION
>   pveproxy: honor_cipher_order by default
> 
>  PVE/API2Tools.pm        | 7 ++++++-
>  PVE/Service/pveproxy.pm | 2 ++
>  2 files changed, 8 insertions(+), 1 deletion(-)
> 
> pve-docs:
> Stoiko Ivanov (1):
>   pveproxy: add docs for /etc/default/pveproxy
> 
>  pveproxy.adoc | 14 ++++++++++++++
>  1 file changed, 14 insertions(+)
> 




More information about the pve-devel mailing list