[PVE-User] Proxmox disable TLS 1

Brent Clark brentgclarklist at gmail.com
Thu Jul 26 11:47:21 CEST 2018


Thomas, you the man !!!

Thank you so much.

Snippet of sslscan:
----------------------------------------------------------------------
Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed


Supported Server Cipher(s):
Preferred TLSv1.2  256 bits  ECDHE-RSA-AES256-GCM-SHA384   Curve P-256 
DHE 256
Accepted  TLSv1.2  256 bits  ECDHE-RSA-AES256-SHA384       Curve P-256 
DHE 256
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-GCM-SHA384     DHE 2048 bits
Accepted  TLSv1.2  256 bits  DHE-RSA-AES256-SHA256         DHE 2048 bits
Accepted  TLSv1.2  256 bits  AES256-GCM-SHA384
Accepted  TLSv1.2  256 bits  AES256-SHA256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-GCM-SHA256   Curve P-256 
DHE 256
Accepted  TLSv1.2  128 bits  ECDHE-RSA-AES128-SHA256       Curve P-256 
DHE 256
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-GCM-SHA256     DHE 2048 bits
Accepted  TLSv1.2  128 bits  DHE-RSA-AES128-SHA256         DHE 2048 bits
Accepted  TLSv1.2  128 bits  AES128-GCM-SHA256
Accepted  TLSv1.2  128 bits  AES128-SHA256

SSL Certificate:
Signature Algorithm: sha1WithRSAEncryption
RSA Key Strength:    2048
----------------------------------------------------------------------

Regards
Brent

On 26/07/2018 11:38, Thomas Lamprecht wrote:
> Am 07/26/2018 um 11:30 AM schrieb Brent Clark:
>> Thanks for replying
>>
>> Interesting, I do not have that file / package.
>>
> 
> Just create it, it's not there by default but gets considered by
> pveproxy - if there. And pveproxy resides in the pve-manager package
> 
>> root at chs-vmh01 ~ # dpkg -l | awk '/pve-/{print $2" "$3}'
> 
> Not all our packages begin with pve, e.g. qemu-server, novnc-pve, etc.
> 
> Use `pveversion -v` to get a list of all packages directly relevant to
> PVE and it's version quickly, can also be found in the Web UI (Node ->
> Summary -> Package versions)
> 
> cheers,
> Thomas
> 
>>
>> snippet
>>
>> pve-cluster 5.0-28
>> pve-container 2.0-24
>> pve-docs 5.2-4
>> pve-edk2-firmware 1.20180612-1
>> pve-firewall 3.0-13
>> pve-firmware 2.0-5
>> pve-ha-manager 2.0-5
>> pve-i18n 1.0-6
>> pve-kernel-4.15 5.2-4
>> pve-kernel-4.15.15-1-pve 4.15.15-6
>> pve-kernel-4.15.17-1-pve 4.15.17-9
>> pve-kernel-4.15.17-3-pve 4.15.17-14
>> pve-kernel-4.15.18-1-pve 4.15.18-15
>> pve-libspice-server1 0.12.8-3
>> pve-manager 5.2-5
>> pve-qemu-kvm 2.11.2-1
>> pve-xtermjs 1.0-5
>>
>> Regards
>> Brent
>>
>>
>> On 26/07/2018 11:22, Thomas Lamprecht wrote:
>>> Hi,
>>>
>>> Am 07/26/2018 um 11:05 AM schrieb Brent Clark:
>>>> Good day Guys
>>>>
>>>> I did a sslscan on my proxmox host, and I got the following:
>>>>
>>>> snippet:
>>>> Preferred TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA          Curve 
>>>> P-256 DHE 256
>>>> Accepted  TLSv1.0  256 bits  DHE-RSA-AES256-SHA            DHE 2048 
>>>> bits
>>>> Accepted  TLSv1.0  256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 2048 
>>>> bits
>>>> Accepted  TLSv1.0  256 bits  AES256-SHA
>>>> Accepted  TLSv1.0  256 bits  CAMELLIA256-SHA
>>>> Accepted  TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA          Curve 
>>>> P-256 DHE 256
>>>> Accepted  TLSv1.0  128 bits  DHE-RSA-AES128-SHA            DHE 2048 
>>>> bits
>>>> Accepted  TLSv1.0  128 bits  DHE-RSA-SEED-SHA              DHE 2048 
>>>> bits
>>>> Accepted  TLSv1.0  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 2048 
>>>> bits
>>>> Accepted  TLSv1.0  128 bits  AES128-SHA
>>>> Accepted  TLSv1.0  128 bits  SEED-SHA
>>>> Accepted  TLSv1.0  128 bits  CAMELLIA128-SHA
>>>>
>>>> I need to remove / disable TLSv1.0. Google has not been able to be 
>>>> of much help, for I get suggestions to edit
>>>> /usr/bin/pveproxy and /etc/default/pveproxy and the list goes on.
>>>>
>>>  > Can someone suggest how to fix this issue.
>>>
>>> Ah yes, I posted a possible quick solution for this in the forum a bit
>>> ago [0].
>>>
>>> Edit /etc/default/pveproxy to have a line with:
>>>
>>> CIPHERS="HIGH:!TLSv1:!SSLv3:!aNULL:!MD5"
>>>
>>> then
>>> systemctl restart pveproxy
>>>
>>> and you should be good to go :-)
>>>
>>> cheers,
>>> Thomas
>>>
>>> [0]: 
>>> https://forum.proxmox.com/threads/disabling-tls-1-0-and-1-1-in-proxmox.35814/#post-175643 
>>>
>>>
>>>
>>>
>> _______________________________________________
>> pve-user mailing list
>> pve-user at pve.proxmox.com
>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
> 
> 


More information about the pve-user mailing list