[pve-devel] [PATCH manager v2 3/3] pveproxy: honor_cipher_order by default

Stoiko Ivanov s.ivanov at proxmox.com
Wed Feb 20 09:47:56 CET 2019


On Wed, 20 Feb 2019 07:37:39 +0100
Thomas Lamprecht <t.lamprecht at proxmox.com> wrote:

> On 2/19/19 7:18 PM, Stoiko Ivanov wrote:
> > change the default from client preference to server preference, but
> > leave it configurable.
> > 
> > Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
> > ---
> >  PVE/Service/pveproxy.pm | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
> > index 7a4a804f..ee74db4c 100755
> > --- a/PVE/Service/pveproxy.pm
> > +++ b/PVE/Service/pveproxy.pm
> > @@ -109,7 +109,7 @@ sub init {
> >  	    cipher_list => $proxyconf->{CIPHERS} ||
> > 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256',
> > key_file => '/etc/pve/local/pve-ssl.key', cert_file =>
> > '/etc/pve/local/pve-ssl.pem',
> > -	    honor_cipher_order => $proxyconf->{HONOR_CIPHER_ORDER},
> > +	    honor_cipher_order =>
> > $proxyconf->{HONOR_CIPHER_ORDER} // 1, },
> >  	compression => $proxyconf->{COMPRESSION},
> >  	# Note: there is no authentication for those pages and
> > dirs! 
> 
> on another node, we probably want this for PMG too? may even make
> sense to switch it default on in http-server (additionally to allow
> configuring (disabling) it then in PMG)?

I was planning to get those changes (and the complete
'/etc/default/$proxy' configuration) into PMG as well (already had an
initial patch on top of my v1). Since pmgproxy is currently quite
similar to pveproxy I initially planned on copying those changes over.
But it might be a good time to push the/most fallback-defaults into
pve-http-server, when touching all 3 places.
Thanks for the tip - will try to do this!



More information about the pve-devel mailing list