[pve-devel] [PATCH http-server] Revert "tls: make dh to openssl 1.1 compatible"
Thomas Lamprecht
t.lamprecht at proxmox.com
Fri Oct 25 17:34:27 CEST 2019
The libanyevent-perl version 7.140-3 included a fix for this.
It migrated to the then still testing (buster was not yet released)
on 07.04.2019, and so we can safely revert this workaround again
here.
Albeit this was fixed since Buster was officially released, still
bump the version dependency to libanyevent-perl in debian/control.
A future libanyevent-perl will use "ffdhe3072" for DH; another good
reason to revert this, to not keep hardcoded parameters with possible
(future) security implications here.
[0]: https://tracker.debian.org/news/1037514/libanyevent-perl-7140-3-migrated-to-testing/
This reverts commit ea574439f76bb3914b8b8c0be8e40ee826c95afc.
Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
---
PVE/APIServer/AnyEvent.pm | 3 ---
debian/control | 2 +-
2 files changed, 1 insertion(+), 4 deletions(-)
diff --git a/PVE/APIServer/AnyEvent.pm b/PVE/APIServer/AnyEvent.pm
index 9aba27d..539a156 100644
--- a/PVE/APIServer/AnyEvent.pm
+++ b/PVE/APIServer/AnyEvent.pm
@@ -591,9 +591,6 @@ sub proxy_request {
sslv2 => 0,
sslv3 => 0,
verify => 1,
- # be compatible with openssl 1.1, fix for debian bug #923615
- # remove once libanyeven-perl with this fix transitions to buster
- dh => 'schmorp2048',
verify_cb => sub {
my (undef, undef, undef, $depth, undef, undef, $cert) = @_;
# we don't care about intermediate or root certificates
diff --git a/debian/control b/debian/control
index a784039..b1409e4 100644
--- a/debian/control
+++ b/debian/control
@@ -11,7 +11,7 @@ Homepage: https://www.proxmox.com
Package: libpve-http-server-perl
Architecture: all
Depends: libanyevent-http-perl,
- libanyevent-perl,
+ libanyevent-perl (>= 7.140-3),
libcrypt-ssleay-perl,
libhtml-parser-perl,
libhttp-date-perl,
--
2.20.1
More information about the pve-devel
mailing list