fix #3790: allow setting TLS 1.3 cipher suites

like the TLS <= 1.2 cipher list, but needs a different option since the
format and values are incompatible. AnyEvent doesn't yet handle this
directly like the cipher list, so set it directly on the context.

requires corresponding patch in pve-manager (which reads the config, and
passes relevant parts back to the API server).

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Tested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Reviewed-by: Stoiko Ivanov <s.ivanov@proxmox.com>

src/PVE/APIServer/AnyEvent.pm

@@ -1889,6 +1889,9 @@ sub new {
 	    honor_cipher_order => 1,
 	};
 
+	# workaround until anyevent supports TLS 1.3 ciphersuites directly
+	my $ciphersuites = delete $self->{ssl}->{ciphersuites};
+
 	foreach my $k (keys %$ssl_defaults) {
 	    $self->{ssl}->{$k} //= $ssl_defaults->{$k};
 	}
@@ -1908,6 +1911,7 @@ sub new {
 
 	$self->{tls_ctx} = AnyEvent::TLS->new(%{$self->{ssl}});
 	Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, $tls_ctx_flags);
+	Net::SSLeay::CTX_set_ciphersuites($self->{tls_ctx}->{ctx}, $ciphersuites) if defined($ciphersuites);
     }
 
     if ($self->{spiceproxy}) {

src/PVE/APIServer/Utils.pm

@@ -19,6 +19,7 @@ sub read_proxy_config {
     $shcmd .= 'echo \"DENY_FROM:\$DENY_FROM\";';
     $shcmd .= 'echo \"POLICY:\$POLICY\";';
     $shcmd .= 'echo \"CIPHERS:\$CIPHERS\";';
+    $shcmd .= 'echo \"CIPHERSUITES:\$CIPHERSUITES\";';
     $shcmd .= 'echo \"DHPARAMS:\$DHPARAMS\";';
     $shcmd .= 'echo \"HONOR_CIPHER_ORDER:\$HONOR_CIPHER_ORDER\";';
     $shcmd .= 'echo \"COMPRESSION:\$COMPRESSION\";';
@@ -48,6 +49,8 @@ sub read_proxy_config {
 	    $res->{$key} = $value;
 	} elsif ($key eq 'CIPHERS') {
 	    $res->{$key} = $value;
+	} elsif ($key eq 'CIPHERSUITES') {
+	    $res->{$key} = $value;
 	} elsif ($key eq 'DHPARAMS') {
 	    $res->{$key} = $value;
 	} elsif ($key eq 'HONOR_CIPHER_ORDER' || $key eq 'COMPRESSION') {