Enable TLS 1.1 and 1.2, change default DH params

AnyEvent uses a built-in DH group defined as 'schmorp1539' by default, which seems to trigger the bug in [1] for every attempt of accessing the web GUI using IE11 and TLS1.2. By switching to a bigger default DH group ('skip2048'), the bug seems to be gone (or trigger sufficiently rarely). 1: http://engineering.imvu.com/2015/01/27/the-case-of-the-page-cant-be-displayed-intermittent-selenium-test/ Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
2025-08-03 19:26:46 +00:00 · 2016-01-26 15:09:11 +01:00 · 2016-01-26 15:09:11 +01:00 · ee0b96b15f
commit ee0b96b15f
parent 08801a5d01
1 changed files with 2 additions and 1 deletions
--- a/PVE/Service/pveproxy.pm
+++ b/PVE/Service/pveproxy.pm
@ -108,12 +108,13 @@ sub init {
 	ssl => {
 	    # Note: older versions are considered insecure, for example
 	    # search for "Poodle"-Attac
-	    method => 'tlsv1',
+	    method => 'any',
 	    sslv2 => 0,
 	    sslv3 => 0,
 	    cipher_list => $proxyconf->{CIPHERS} || 'HIGH:MEDIUM:!aNULL:!MD5',
 	    key_file => '/etc/pve/local/pve-ssl.key',
 	    cert_file => '/etc/pve/local/pve-ssl.pem',
+	    dh => 'skip2048',
 	},
 	# Note: there is no authentication for those pages and dirs!
 	pages => {