[PVE-User] Proxmox disable TLS 1

Uwe Sauter uwe.sauter.de at gmail.com
Thu Jul 26 13:27:35 CEST 2018


Would you mind to share the relevant parts of your nginx config? Does forwarding NoVNC traffic work?



Am 26.07.2018 um 13:22 schrieb Ian Coetzee:
> Hi All,
> 
> I know this has been answered.
> 
> What I did was to drop a reverse proxy (nginx) in front of pveproxy
> listening on port 443 then make the needed changes in the nginx config
> 
> Makes my life way easier :)
> 
> On 26 July 2018 at 11:38, Thomas Lamprecht <t.lamprecht at proxmox.com> wrote:
> 
>> Am 07/26/2018 um 11:30 AM schrieb Brent Clark:
>>
>>> Thanks for replying
>>>
>>> Interesting, I do not have that file / package.
>>>
>>>
>> Just create it, it's not there by default but gets considered by
>> pveproxy - if there. And pveproxy resides in the pve-manager package
>>
>> root at chs-vmh01 ~ # dpkg -l | awk '/pve-/{print $2" "$3}'
>>>
>>
>> Not all our packages begin with pve, e.g. qemu-server, novnc-pve, etc.
>>
>> Use `pveversion -v` to get a list of all packages directly relevant to
>> PVE and it's version quickly, can also be found in the Web UI (Node ->
>> Summary -> Package versions)
>>
>> cheers,
>> Thomas
>>
>>
>>
>>> snippet
>>>
>>> pve-cluster 5.0-28
>>> pve-container 2.0-24
>>> pve-docs 5.2-4
>>> pve-edk2-firmware 1.20180612-1
>>> pve-firewall 3.0-13
>>> pve-firmware 2.0-5
>>> pve-ha-manager 2.0-5
>>> pve-i18n 1.0-6
>>> pve-kernel-4.15 5.2-4
>>> pve-kernel-4.15.15-1-pve 4.15.15-6
>>> pve-kernel-4.15.17-1-pve 4.15.17-9
>>> pve-kernel-4.15.17-3-pve 4.15.17-14
>>> pve-kernel-4.15.18-1-pve 4.15.18-15
>>> pve-libspice-server1 0.12.8-3
>>> pve-manager 5.2-5
>>> pve-qemu-kvm 2.11.2-1
>>> pve-xtermjs 1.0-5
>>>
>>> Regards
>>> Brent
>>>
>>>
>>> On 26/07/2018 11:22, Thomas Lamprecht wrote:
>>>
>>>> Hi,
>>>>
>>>> Am 07/26/2018 um 11:05 AM schrieb Brent Clark:
>>>>
>>>>> Good day Guys
>>>>>
>>>>> I did a sslscan on my proxmox host, and I got the following:
>>>>>
>>>>> snippet:
>>>>> Preferred TLSv1.0  256 bits  ECDHE-RSA-AES256-SHA          Curve P-256
>>>>> DHE 256
>>>>> Accepted  TLSv1.0  256 bits  DHE-RSA-AES256-SHA            DHE 2048 bits
>>>>> Accepted  TLSv1.0  256 bits  DHE-RSA-CAMELLIA256-SHA       DHE 2048 bits
>>>>> Accepted  TLSv1.0  256 bits  AES256-SHA
>>>>> Accepted  TLSv1.0  256 bits  CAMELLIA256-SHA
>>>>> Accepted  TLSv1.0  128 bits  ECDHE-RSA-AES128-SHA          Curve P-256
>>>>> DHE 256
>>>>> Accepted  TLSv1.0  128 bits  DHE-RSA-AES128-SHA            DHE 2048 bits
>>>>> Accepted  TLSv1.0  128 bits  DHE-RSA-SEED-SHA              DHE 2048 bits
>>>>> Accepted  TLSv1.0  128 bits  DHE-RSA-CAMELLIA128-SHA       DHE 2048 bits
>>>>> Accepted  TLSv1.0  128 bits  AES128-SHA
>>>>> Accepted  TLSv1.0  128 bits  SEED-SHA
>>>>> Accepted  TLSv1.0  128 bits  CAMELLIA128-SHA
>>>>>
>>>>> I need to remove / disable TLSv1.0. Google has not been able to be of
>>>>> much help, for I get suggestions to edit
>>>>> /usr/bin/pveproxy and /etc/default/pveproxy and the list goes on.
>>>>>
>>>>>  > Can someone suggest how to fix this issue.
>>>>
>>>> Ah yes, I posted a possible quick solution for this in the forum a bit
>>>> ago [0].
>>>>
>>>> Edit /etc/default/pveproxy to have a line with:
>>>>
>>>> CIPHERS="HIGH:!TLSv1:!SSLv3:!aNULL:!MD5"
>>>>
>>>> then
>>>> systemctl restart pveproxy
>>>>
>>>> and you should be good to go :-)
>>>>
>>>> cheers,
>>>> Thomas
>>>>
>>>> [0]: https://forum.proxmox.com/threads/disabling-tls-1-0-and-1-1-
>>>> in-proxmox.35814/#post-175643
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>> pve-user mailing list
>>> pve-user at pve.proxmox.com
>>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>>>
>>
>>
>> _______________________________________________
>> pve-user mailing list
>> pve-user at pve.proxmox.com
>> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
>>
> _______________________________________________
> pve-user mailing list
> pve-user at pve.proxmox.com
> https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
> 



More information about the pve-user mailing list