From 1f7809624b443540b32be793bef5cf54f40e3f4d Mon Sep 17 00:00:00 2001
From: Stoiko Ivanov <s.ivanov@proxmox.com>
Date: Tue, 19 Feb 2019 19:18:42 +0100
Subject: [PATCH] pveproxy: add configurable HONOR_CIPHER_ORDER

fix #2069 (the report includes rationale and also information on test-cases).

Tested by:
* running testssl.sh [0]
* enabling this setting (our default cipherlist prefers AES256,
  chromium on stretch AES128)

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 PVE/API2Tools.pm        | 6 +++++-
 PVE/Service/pveproxy.pm | 1 +
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/PVE/API2Tools.pm b/PVE/API2Tools.pm
index 7527b42b..fd2f656d 100644
--- a/PVE/API2Tools.pm
+++ b/PVE/API2Tools.pm
@@ -222,6 +222,7 @@ sub read_proxy_config {
     $shcmd .= 'echo \"POLICY:\$POLICY\";';
     $shcmd .= 'echo \"CIPHERS:\$CIPHERS\";';
     $shcmd .= 'echo \"DHPARAMS:\$DHPARAMS\";';
+    $shcmd .= 'echo \"HONOR_CIPHER_ORDER:\$HONOR_CIPHER_ORDER\";';
 
     my $data = -f $conffile ? `bash -c "$shcmd"` : '';
 
@@ -229,7 +230,7 @@ sub read_proxy_config {
 
     while ($data =~ s/^(.*)\n//) {
 	my ($key, $value) = split(/:/, $1, 2);
-	next if !$value;
+	next if !defined($value) || $value eq '';
 	if ($key eq 'ALLOW_FROM' || $key eq 'DENY_FROM') {
 	    my $ips = [];
 	    foreach my $ip (split(/,/, $value)) {
@@ -244,6 +245,9 @@ sub read_proxy_config {
 	    $res->{$key} = $value;
 	} elsif ($key eq 'DHPARAMS') {
 	    $res->{$key} = $value;
+	} elsif ($key eq 'HONOR_CIPHER_ORDER') {
+	    die "unknown value '$value' - use 0 or 1\n" if $value !~ m/^(0|1)$/;
+	    $res->{$key} = $value;
 	} else {
 	    # silently skip everythin else?
 	}
diff --git a/PVE/Service/pveproxy.pm b/PVE/Service/pveproxy.pm
index ee6c28d4..e984cb8c 100755
--- a/PVE/Service/pveproxy.pm
+++ b/PVE/Service/pveproxy.pm
@@ -109,6 +109,7 @@ sub init {
 	    cipher_list => $proxyconf->{CIPHERS} || 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256',
 	    key_file => '/etc/pve/local/pve-ssl.key',
 	    cert_file => '/etc/pve/local/pve-ssl.pem',
+	    honor_cipher_order => $proxyconf->{HONOR_CIPHER_ORDER},
 	},
 	# Note: there is no authentication for those pages and dirs!
 	pages => {