[pve-devel] [PATCH manager 2/4] remove default values from pveproxy ssl config

Stoiko Ivanov s.ivanov at proxmox.com
Fri Feb 22 19:52:03 CET 2019


they are in PVE::APIServer::AnyEvent

Signed-off-by: Stoiko Ivanov <s.ivanov at proxmox.com>
---
 PVE/Service/pveproxy.pm | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
index ee74db4c..e63c90ea 100755
--- a/PVE/Service/pveproxy.pm
+++ b/PVE/Service/pveproxy.pm
@@ -101,15 +101,10 @@ sub init {
 	deny_from => $proxyconf->{DENY_FROM},
 	policy => $proxyconf->{POLICY},
 	ssl => {
-	    # Note: older versions are considered insecure, for example
-	    # search for "Poodle"-Attack
-	    method => 'any',
-	    sslv2 => 0,
-	    sslv3 => 0,
-	    cipher_list => $proxyconf->{CIPHERS} || 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256',
+	    cipher_list => $proxyconf->{CIPHERS},
 	    key_file => '/etc/pve/local/pve-ssl.key',
 	    cert_file => '/etc/pve/local/pve-ssl.pem',
-	    honor_cipher_order => $proxyconf->{HONOR_CIPHER_ORDER} // 1,
+	    honor_cipher_order => $proxyconf->{HONOR_CIPHER_ORDER},
 	},
 	compression => $proxyconf->{COMPRESSION},
 	# Note: there is no authentication for those pages and dirs!
@@ -126,12 +121,9 @@ sub init {
 	dirs => $dirs,
     };
 
-    if ($proxyconf->{DHPARAMS}) {
+    if (defined($proxyconf->{DHPARAMS})) {
 	$self->{server_config}->{ssl}->{dh_file} = $proxyconf->{DHPARAMS};
-    } else {
-	$self->{server_config}->{ssl}->{dh} = 'skip2048';
     }
-
     if (-f '/etc/pve/local/pveproxy-ssl.pem' && -f '/etc/pve/local/pveproxy-ssl.key') {
 	$self->{server_config}->{ssl}->{cert_file} = '/etc/pve/local/pveproxy-ssl.pem';
 	$self->{server_config}->{ssl}->{key_file} = '/etc/pve/local/pveproxy-ssl.key';
-- 
2.11.0




More information about the pve-devel mailing list