[pve-devel] [PATCH v1 proxmox 0/3] Fix #5105: Overhaul TLS Handshake Checking Logic
Max Carrara
m.carrara at proxmox.com
Fri Jul 5 18:20:17 CEST 2024
Fix #5105: Overhaul TLS Handshake Checking Logic
================================================
This series fixes bug #5105 [1] by overhauling the TLS handshake
checking logic, which is performed when using a connection acceptor
variant with optional TLS.
In the case of PBS (the only place where this is used, to my knowledge),
any requests made over plain HTTP are redirected to the same host, but
clients are instructed to use HTTPS instead.
The TLS handshake checking logic determines whether the client uses HTTP
or HTTPS by peeking into the stream buffer -- if the first 5 received
bytes look like a TLS handshake fragment, the connection is passed on to
OpenSSL before being accepted. Otherwise the connection is assumed to be
unencrypted, i.e. plain HTTP.
However, this logic contains two errors:
1. The timeout duration is too short - one second is too little
2. When a timeout occurs, the connection is assumed to be unencrypted
(and thus plain HTTP)
The patches 01 and 02 are mainly done in preparation for patch 03 (which
contains the actual fix), improving the overall quality of the code and
including the peer's address in error logs.
Please see the individual patches for more information.
Special thanks go to Stefan Hanreich whose advice helped identifying
many individual puzzle pieces comprising this issue.
References
----------
[1]: https://bugzilla.proxmox.com/show_bug.cgi?id=5105
Summary of Changes
------------------
Max Carrara (3):
rest-server: connection: clean up accept data flow
rest-server: connection: log peer address on error
fix #5105: rest-server: connection: overhaul TLS handshake check logic
proxmox-rest-server/src/connection.rs | 165 +++++++++++++-------------
1 file changed, 85 insertions(+), 80 deletions(-)
--
2.39.2
More information about the pve-devel
mailing list