proxmox-mirrors/pve-manager
1
0
Fork 0
mirror of https://git.proxmox.com/git/pve-manager synced 2025-08-14 14:32:37 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

pveproxy: add configurable HONOR_CIPHER_ORDER

Browse Source 
fix #2069 (the report includes rationale and also information on test-cases).

Tested by:
* running testssl.sh [0]
* enabling this setting (our default cipherlist prefers AES256,
  chromium on stretch AES128)

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
This commit is contained in:
Stoiko Ivanov 2019-02-19 19:18:42 +01:00 committed by Thomas Lamprecht
parent bbb0c700bd
commit 1f7809624b
2 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
PVE/API2Tools.pm
View File

@ -222,6 +222,7 @@ sub read_proxy_config {
$shcmd .= 'echo \"POLICY:\$POLICY\";'; $shcmd .= 'echo \"POLICY:\$POLICY\";';
$shcmd .= 'echo \"CIPHERS:\$CIPHERS\";'; $shcmd .= 'echo \"CIPHERS:\$CIPHERS\";';
$shcmd .= 'echo \"DHPARAMS:\$DHPARAMS\";'; $shcmd .= 'echo \"DHPARAMS:\$DHPARAMS\";';
$shcmd .= 'echo \"HONOR_CIPHER_ORDER:\$HONOR_CIPHER_ORDER\";';
my $data = -f $conffile ? `bash -c "$shcmd"` : ''; my $data = -f $conffile ? `bash -c "$shcmd"` : '';
@ -229,7 +230,7 @@ sub read_proxy_config {
while ($data =~ s/^(.*)\n//) { while ($data =~ s/^(.*)\n//) {
my ($key, $value) = split(/:/, $1, 2); my ($key, $value) = split(/:/, $1, 2);
next if !$value; next if !defined($value) || $value eq '';
if ($key eq 'ALLOW_FROM' || $key eq 'DENY_FROM') { if ($key eq 'ALLOW_FROM' || $key eq 'DENY_FROM') {
my $ips = []; my $ips = [];
foreach my $ip (split(/,/, $value)) { foreach my $ip (split(/,/, $value)) {
@ -244,6 +245,9 @@ sub read_proxy_config {
$res->{$key} = $value; $res->{$key} = $value;
} elsif ($key eq 'DHPARAMS') { } elsif ($key eq 'DHPARAMS') {
$res->{$key} = $value; $res->{$key} = $value;
} elsif ($key eq 'HONOR_CIPHER_ORDER') {
die "unknown value '$value' - use 0 or 1\n" if $value !~ m/^(0|1)$/;
$res->{$key} = $value;
} else { } else {
# silently skip everythin else? # silently skip everythin else?
} }

1
PVE/Service/pveproxy.pm
View File

@ -109,6 +109,7 @@ sub init {
cipher_list => $proxyconf->{CIPHERS} || 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256', cipher_list => $proxyconf->{CIPHERS} || 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256',
key_file => '/etc/pve/local/pve-ssl.key', key_file => '/etc/pve/local/pve-ssl.key',
cert_file => '/etc/pve/local/pve-ssl.pem', cert_file => '/etc/pve/local/pve-ssl.pem',
honor_cipher_order => $proxyconf->{HONOR_CIPHER_ORDER},
}, },
# Note: there is no authentication for those pages and dirs! # Note: there is no authentication for those pages and dirs!
pages => { pages => {