$shcmd .= 'echo \"ALLOW_FROM:\$ALLOW_FROM\";';
$shcmd .= 'echo \"DENY_FROM:\$DENY_FROM\";';
$shcmd .= 'echo \"POLICY:\$POLICY\";';
+ $shcmd .= 'echo \"CIPHERS:\$CIPHERS\";';
my $data = -f $conffile ? `bash -c "$shcmd"` : '';
} elsif ($key eq 'POLICY') {
die "unknown policy '$value'\n" if $value !~ m/^(allow|deny)$/;
$res->{$key} = $value;
+ } elsif ($key eq 'CIPHERS') {
+ $res->{$key} = $value;
} else {
# silently skip everythin else?
}
logfile => '/var/log/pveproxy/access.log',
lockfile => $lockfile,
ssl => {
- cipher_list => 'HIGH:MEDIUM:!aNULL:!MD5',
+ cipher_list => $proxyconf->{CIPHERS} || 'HIGH:MEDIUM:!aNULL:!MD5',
key_file => '/etc/pve/local/pve-ssl.key',
cert_file => '/etc/pve/local/pve-ssl.pem',
},
No match | deny | allow
Match Both Allow & Deny | deny | allow
+=head1 SSL Cipher Suite
+
+You can define the chiper list in /etc/default/pveproxy, for example
+
+ CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
+
+Above is the default. See the ciphers(1) man page from the openssl
+package for list of all available options.
+
=head1 FILES
/etc/default/pveproxy