proxmox-mirrors/pve-http-server
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-http-server synced 2025-07-01 00:14:31 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

add ssl fallback values to AnyEvent->new

Browse Source 
This allows for sharing the values between pveproxy and pmgproxy

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
This commit is contained in:
Stoiko Ivanov 2019-02-22 19:51:58 +01:00 committed by Thomas Lamprecht
parent 025b303821
commit fac83ab296
1 changed files with 18 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
PVE/APIServer/AnyEvent.pm
View File

@ -1646,6 +1646,24 @@ sub new {
$self->{end_cond} = AnyEvent->condvar; $self->{end_cond} = AnyEvent->condvar;
if ($self->{ssl}) { if ($self->{ssl}) {
my $ssl_defaults = {
# Note: older versions are considered insecure, for example
# search for "Poodle"-Attack
method => 'any',
sslv2 => 0,
sslv3 => 0,
cipher_list => 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256',
honor_cipher_order => 1,
};
foreach my $k (keys %$ssl_defaults) {
$self->{ssl}->{$k} //= $ssl_defaults->{$k};
}
if (!defined($self->{ssl}->{dh_file})) {
$self->{ssl}->{dh} = 'skip2048';
}
my $tls_ctx_flags = &Net::SSLeay::OP_NO_COMPRESSION | &Net::SSLeay::OP_SINGLE_ECDH_USE | &Net::SSLeay::OP_SINGLE_DH_USE; my $tls_ctx_flags = &Net::SSLeay::OP_NO_COMPRESSION | &Net::SSLeay::OP_SINGLE_ECDH_USE | &Net::SSLeay::OP_SINGLE_DH_USE;
if ( delete $self->{ssl}->{honor_cipher_order} ) { if ( delete $self->{ssl}->{honor_cipher_order} ) {
$tls_ctx_flags |= &Net::SSLeay::OP_CIPHER_SERVER_PREFERENCE; $tls_ctx_flags |= &Net::SSLeay::OP_CIPHER_SERVER_PREFERENCE;