[PVE-User] Change pveproxy to tls1.2

Sten Aus sten.aus at eenet.ee
Tue Dec 2 13:03:32 CET 2014


It's hardcoded but works perfectly (I guess until next upgrade, but anyway).

A way how to disable sslv3 and support tls1.2 and 1.1 is that:

Edit file /usr/bin/pveproxy
Find "method => "tlsv1", comment it out.
Now "ssleay" supports all tls versions and ssl versions.
It's relatively easy to disable sslv3 by adding a line

"sslv3 => 0,"

Add it next to line you just commented.

And to determine what ciphers are allowed, it's easy to edit this in 
/etc/default/pveproxy

Suggestion to Proxmox developers: this should be implemented to 
configuration file which automatically gets distributed to all nodes. 
It's logic that I want all nodes to use same cryptographic algorithms, 
not just one.

Keep up the good work!

On 01.12.14 17:03, Sten Aus wrote:
> Hi
>
> I tried to set /usr/bin/pveproxy ssl method value to tlsv1.2 or 
> tlsv12, but it did not work. How should I configure to use TLS v 1.2, 
> not TLS v 1.0?
>
> And where I can specify cipher_list for SSL to use?
>
> Thanks!
>
>
>
> _______________________________________________
> pve-user mailing list
> pve-user at pve.proxmox.com
> http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pve.proxmox.com/pipermail/pve-user/attachments/20141202/3636949a/attachment-0015.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3227 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://pve.proxmox.com/pipermail/pve-user/attachments/20141202/3636949a/attachment-0015.bin>


More information about the pve-user mailing list