[pve-devel] applied: [PATCH http-server] Revert "tls: make dh to openssl 1.1 compatible"

Fabian Grünbichler f.gruenbichler at proxmox.com
Mon Oct 28 10:28:11 CET 2019 

thanks for noticing!

On October 25, 2019 5:34 pm, Thomas Lamprecht wrote:
> The libanyevent-perl version 7.140-3 included a fix for this.
> It migrated to the then still testing (buster was not yet released)
> on 07.04.2019, and so we can safely revert this workaround again
> here.
> 
> Albeit this was fixed since Buster was officially released, still
> bump the version dependency to libanyevent-perl in debian/control.
> 
> A future libanyevent-perl will use "ffdhe3072" for DH; another good
> reason to revert this, to not keep hardcoded parameters with possible
> (future) security implications here.
> 
> [0]: https://tracker.debian.org/news/1037514/libanyevent-perl-7140-3-migrated-to-testing/
> 
> This reverts commit ea574439f76bb3914b8b8c0be8e40ee826c95afc.
> 
> Signed-off-by: Thomas Lamprecht <t.lamprecht at proxmox.com>
> ---
>  PVE/APIServer/AnyEvent.pm | 3 ---
>  debian/control            | 2 +-
>  2 files changed, 1 insertion(+), 4 deletions(-)
> 
> diff --git a/PVE/APIServer/AnyEvent.pm b/PVE/APIServer/AnyEvent.pm
> index 9aba27d..539a156 100644
> --- a/PVE/APIServer/AnyEvent.pm
> +++ b/PVE/APIServer/AnyEvent.pm
> @@ -591,9 +591,6 @@ sub proxy_request {
>  	    sslv2 => 0,
>  	    sslv3 => 0,
>  	    verify => 1,
> -	    # be compatible with openssl 1.1, fix for debian bug #923615
> -	    # remove once libanyeven-perl with this fix transitions to buster
> -	    dh => 'schmorp2048',
>  	    verify_cb => sub {
>  		my (undef, undef, undef, $depth, undef, undef, $cert) = @_;
>  		# we don't care about intermediate or root certificates
> diff --git a/debian/control b/debian/control
> index a784039..b1409e4 100644
> --- a/debian/control
> +++ b/debian/control
> @@ -11,7 +11,7 @@ Homepage: https://www.proxmox.com
>  Package: libpve-http-server-perl
>  Architecture: all
>  Depends: libanyevent-http-perl,
> -         libanyevent-perl,
> +         libanyevent-perl (>= 7.140-3),
>           libcrypt-ssleay-perl,
>           libhtml-parser-perl,
>           libhttp-date-perl,
> -- 
> 2.20.1
> 
> 
> _______________________________________________
> pve-devel mailing list
> pve-devel at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
> 
>

More information about the pve-devel mailing list