[PVE-User] Proxmox disable TLS 1
Thomas Lamprecht
t.lamprecht at proxmox.com
Thu Jul 26 11:38:01 CEST 2018
Am 07/26/2018 um 11:30 AM schrieb Brent Clark:
> Thanks for replying
>
> Interesting, I do not have that file / package.
>
Just create it, it's not there by default but gets considered by
pveproxy - if there. And pveproxy resides in the pve-manager package
> root at chs-vmh01 ~ # dpkg -l | awk '/pve-/{print $2" "$3}'
Not all our packages begin with pve, e.g. qemu-server, novnc-pve, etc.
Use `pveversion -v` to get a list of all packages directly relevant to
PVE and it's version quickly, can also be found in the Web UI (Node ->
Summary -> Package versions)
cheers,
Thomas
>
> snippet
>
> pve-cluster 5.0-28
> pve-container 2.0-24
> pve-docs 5.2-4
> pve-edk2-firmware 1.20180612-1
> pve-firewall 3.0-13
> pve-firmware 2.0-5
> pve-ha-manager 2.0-5
> pve-i18n 1.0-6
> pve-kernel-4.15 5.2-4
> pve-kernel-4.15.15-1-pve 4.15.15-6
> pve-kernel-4.15.17-1-pve 4.15.17-9
> pve-kernel-4.15.17-3-pve 4.15.17-14
> pve-kernel-4.15.18-1-pve 4.15.18-15
> pve-libspice-server1 0.12.8-3
> pve-manager 5.2-5
> pve-qemu-kvm 2.11.2-1
> pve-xtermjs 1.0-5
>
> Regards
> Brent
>
>
> On 26/07/2018 11:22, Thomas Lamprecht wrote:
>> Hi,
>>
>> Am 07/26/2018 um 11:05 AM schrieb Brent Clark:
>>> Good day Guys
>>>
>>> I did a sslscan on my proxmox host, and I got the following:
>>>
>>> snippet:
>>> Preferred TLSv1.0 256 bits ECDHE-RSA-AES256-SHA Curve
>>> P-256 DHE 256
>>> Accepted TLSv1.0 256 bits DHE-RSA-AES256-SHA DHE 2048 bits
>>> Accepted TLSv1.0 256 bits DHE-RSA-CAMELLIA256-SHA DHE 2048 bits
>>> Accepted TLSv1.0 256 bits AES256-SHA
>>> Accepted TLSv1.0 256 bits CAMELLIA256-SHA
>>> Accepted TLSv1.0 128 bits ECDHE-RSA-AES128-SHA Curve
>>> P-256 DHE 256
>>> Accepted TLSv1.0 128 bits DHE-RSA-AES128-SHA DHE 2048 bits
>>> Accepted TLSv1.0 128 bits DHE-RSA-SEED-SHA DHE 2048 bits
>>> Accepted TLSv1.0 128 bits DHE-RSA-CAMELLIA128-SHA DHE 2048 bits
>>> Accepted TLSv1.0 128 bits AES128-SHA
>>> Accepted TLSv1.0 128 bits SEED-SHA
>>> Accepted TLSv1.0 128 bits CAMELLIA128-SHA
>>>
>>> I need to remove / disable TLSv1.0. Google has not been able to be of
>>> much help, for I get suggestions to edit
>>> /usr/bin/pveproxy and /etc/default/pveproxy and the list goes on.
>>>
>> > Can someone suggest how to fix this issue.
>>
>> Ah yes, I posted a possible quick solution for this in the forum a bit
>> ago [0].
>>
>> Edit /etc/default/pveproxy to have a line with:
>>
>> CIPHERS="HIGH:!TLSv1:!SSLv3:!aNULL:!MD5"
>>
>> then
>> systemctl restart pveproxy
>>
>> and you should be good to go :-)
>>
>> cheers,
>> Thomas
>>
>> [0]:
>> https://forum.proxmox.com/threads/disabling-tls-1-0-and-1-1-in-proxmox.35814/#post-175643
>>
>>
>>
>>
> _______________________________________________
> pve-user mailing list
> pve-user at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
More information about the pve-user
mailing list