[pve-devel] [PATCH manager v2 3/3] pveproxy: honor_cipher_order by default

Thomas Lamprecht t.lamprecht at proxmox.com
Wed Feb 20 07:37:39 CET 2019


On 2/19/19 7:18 PM, Stoiko Ivanov wrote:
> change the default from client preference to server preference, but leave it
> configurable.
> 
> Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
> ---
>  PVE/Service/pveproxy.pm | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
> index 7a4a804f..ee74db4c 100755
> --- a/PVE/Service/pveproxy.pm
> +++ b/PVE/Service/pveproxy.pm
> @@ -109,7 +109,7 @@ sub init {
>  	    cipher_list => $proxyconf->{CIPHERS} || 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256',
>  	    key_file => '/etc/pve/local/pve-ssl.key',
>  	    cert_file => '/etc/pve/local/pve-ssl.pem',
> -	    honor_cipher_order => $proxyconf->{HONOR_CIPHER_ORDER},
> +	    honor_cipher_order => $proxyconf->{HONOR_CIPHER_ORDER} // 1,
>  	},
>  	compression => $proxyconf->{COMPRESSION},
>  	# Note: there is no authentication for those pages and dirs!
> 

on another node, we probably want this for PMG too? may even make sense
to switch it default on in http-server (additionally to allow configuring
(disabling) it then in PMG)?



More information about the pve-devel mailing list