[pve-devel] [PATCH manager master+stable-8] pve8to9: improve error/log message for tls checks
Dominik Csapak
d.csapak at proxmox.com
Wed Nov 19 10:25:59 CET 2025
we check different key sizes for RSA (2048) vs ECC (224) but the
logs/error always wrote '2048' which can be confusing if ECC keys are
used, for example:
PASS: Certificate 'pveproxy-ssl.pem' passed Debian Busters (and newer) security level for TLS connections (256 >= 2048)
Use the actual size and type we check against in the log/error so reduce
confusion.
The new log line is then:
PASS: Certificate 'pveproxy-ssl.pem' passed Debian Busters (and newer) security level for TLS connections (256 >= 224 ECC)
Signed-off-by: Dominik Csapak <d.csapak at proxmox.com>
---
this is based on master, but should be cleanly cherry-pickable on
stable-8 currently
PVE/CLI/pve8to9.pm | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/PVE/CLI/pve8to9.pm b/PVE/CLI/pve8to9.pm
index 5a22c229..0c4b2343 100644
--- a/PVE/CLI/pve8to9.pm
+++ b/PVE/CLI/pve8to9.pm
@@ -2257,12 +2257,16 @@ sub check_misc {
next;
}
- if ($size < $check->{minsize}) {
- log_fail("'$fn', certificate's $check->{name} public key size is less than 2048 bit");
+ my $min_size = $check->{minsize};
+ my $name = $check->{name};
+ if ($size < $min_size) {
+ log_fail(
+ "'$fn', certificate's $check->{name} public key size is less than $min_size bit for $name"
+ );
$certs_check_failed = 1;
} else {
log_pass(
- "Certificate '$fn' passed Debian Busters (and newer) security level for TLS connections ($size >= 2048)"
+ "Certificate '$fn' passed Debian Busters (and newer) security level for TLS connections ($size >= $min_size $name)"
);
}
}
--
2.47.3
More information about the pve-devel
mailing list