[pve-devel] applied: [PATCH http-server] tls: make dh to openssl 1.1 compatible

Thomas Lamprecht t.lamprecht at proxmox.com
Fri Mar 22 10:35:51 CET 2019


Effective the same approach used in libanyevent-perl 7.140-3[0]
Stretch is also compatible with this, and we can remove it for
buster/PVE 6 once the libanyevent-perl package transitioned to
from unstable to buster, until then do it ourself to have a
functioning api/proxy...

[0]: https://salsa.debian.org/perl-team/modules/packages/libanyevent-perl/commit/7f3d5721bb915c0c24088c3ff361238938172108

Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---
 PVE/APIServer/AnyEvent.pm | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/PVE/APIServer/AnyEvent.pm b/PVE/APIServer/AnyEvent.pm
index b2330a5..1a01d17 100644
--- a/PVE/APIServer/AnyEvent.pm
+++ b/PVE/APIServer/AnyEvent.pm
@@ -574,6 +574,9 @@ sub proxy_request {
 	    sslv2 => 0,
 	    sslv3 => 0,
 	    verify => 1,
+	    # be compatible with openssl 1.1, fix for debian bug #923615
+	    # remove once libanyeven-perl with this fix transitions to buster
+	    dh => 'schmorp2048',
 	    verify_cb => sub {
 		my (undef, undef, undef, $depth, undef, undef, $cert) = @_;
 		# we don't care about intermediate or root certificates
-- 
2.20.1




More information about the pve-devel mailing list