]> git.proxmox.com Git - pve-http-server.git/blobdiff - src/PVE/APIServer/AnyEvent.pm
projects / pve-http-server.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
fix #4859: properly configure TLSv1.3 only mode
[pve-http-server.git] / src / PVE / APIServer / AnyEvent.pm
diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
index 8be2347511bc394d88759c55dd1db0c0f3caef26..cebd9ba60888e7dc72bce1b7de3b1fb7dda96cc2 100644 (file)
--- a/src/PVE/APIServer/AnyEvent.pm
+++ b/src/PVE/APIServer/AnyEvent.pm
@@ -12,7 +12,6 @@ use warnings;
 
 use AnyEvent::HTTP;
 use AnyEvent::Handle;
-use AnyEvent::IO;
 use AnyEvent::Socket;
 # use AnyEvent::Strict; # only use this for debugging
 use AnyEvent::TLS;
@@ -745,11 +744,17 @@ sub proxy_request {
        my $content;
 
        if  ($method eq 'POST' || $method eq 'PUT') {
-           $headers->{'Content-Type'} = 'application/x-www-form-urlencoded';
-           # use URI object to format application/x-www-form-urlencoded content.
-           my $url = URI->new('http:');
-           $url->query_form(%$params);
-           $content = $url->query;
+           my $request_ct = $reqstate->{request}->header('Content-Type');
+           if (defined($request_ct) && $request_ct =~ 'application/json') {
+               $headers->{'Content-Type'} = 'application/json';
+               $content = encode_json($params);
+           } else {
+               $headers->{'Content-Type'} = 'application/x-www-form-urlencoded';
+               # use URI object to format application/x-www-form-urlencoded content.
+               my $url = URI->new('http:');
+               $url->query_form(%$params);
+               $content = $url->query;
+           }
            if (defined($content)) {
                $headers->{'Content-Length'} = length($content);
            }
@@ -761,6 +766,7 @@ sub proxy_request {
            sslv2 => 0,
            sslv3 => 0,
            verify => 1,
+           ca_path => '/usr/lib/ssl/certs', # to avoid loading the combined CA cert file
            verify_cb => sub {
                my (undef, undef, undef, $depth, undef, undef, $cert) = @_;
                # we don't care about intermediate or root certificates
@@ -845,7 +851,12 @@ sub decode_urlencoded {
            $v = Encode::decode('utf8', $v);
 
            if (defined(my $old = $res->{$k})) {
-               $v = "$old\0$v";
+               if (ref($old) eq 'ARRAY') {
+                   push @$old, $v;
+                   $v = $old;
+               } else {
+                   $v = [$old, $v];
+               }
            }
        }
 
@@ -2001,6 +2012,23 @@ sub new {
            warn "Failed to set TLS 1.3 ciphersuites '$ciphersuites'\n"
                if !Net::SSLeay::CTX_set_ciphersuites($self->{tls_ctx}->{ctx}, $ciphersuites);
        }
+
+       my $opts = Net::SSLeay::CTX_get_options($self->{tls_ctx}->{ctx});
+       my $min_version = Net::SSLeay::TLS1_1_VERSION();
+       my $max_version = Net::SSLeay::TLS1_3_VERSION();
+       if ($opts & &Net::SSLeay::OP_NO_TLSv1_1) {
+           $min_version = Net::SSLeay::TLS1_2_VERSION();
+       }
+       if ($opts & &Net::SSLeay::OP_NO_TLSv1_2) {
+           $min_version = Net::SSLeay::TLS1_3_VERSION();
+       }
+       if ($opts & &Net::SSLeay::OP_NO_TLSv1_3) {
+           die "misconfigured TLS settings - cannot disable all supported TLS versions!\n"
+               if $min_version && $min_version == Net::SSLeay::TLS1_3_VERSION();
+           $max_version = Net::SSLeay::TLS1_2_VERSION();
+       }
+       Net::SSLeay::CTX_set_min_proto_version($self->{tls_ctx}->{ctx}, $min_version) if $min_version;
+       Net::SSLeay::CTX_set_max_proto_version($self->{tls_ctx}->{ctx}, $max_version);
     }
 
     if ($self->{spiceproxy}) {
PVE HTTP Server