allow to configure cipher list for pveproxy

diff --git a/PVE/APIDaemon.pm b/PVE/APIDaemon.pm
index e123de1367905ca349e620ab4130dcfcaf5aa637..2b12966cc033eec653b2fb6dfd65487d27fd4e4b 100755 (executable)
--- a/PVE/APIDaemon.pm
+++ b/PVE/APIDaemon.pm
@@ -201,6 +201,7 @@ sub read_proxy_config {
     $shcmd .= 'echo \"ALLOW_FROM:\$ALLOW_FROM\";';
     $shcmd .= 'echo \"DENY_FROM:\$DENY_FROM\";';
     $shcmd .= 'echo \"POLICY:\$POLICY\";';
+    $shcmd .= 'echo \"CIPHERS:\$CIPHERS\";';
 
     my $data = -f $conffile ? `bash -c "$shcmd"` : '';
 
@@ -218,6 +219,8 @@ sub read_proxy_config {
        } elsif ($key eq 'POLICY') {
            die "unknown policy '$value'\n" if $value !~ m/^(allow|deny)$/;
            $res->{$key} = $value;
+       } elsif ($key eq 'CIPHERS') {
+           $res->{$key} = $value;
        } else {
            # silently skip everythin else?
        }

diff --git a/bin/pveproxy b/bin/pveproxy
index 0c65030901d12245a4f8b4d0ef7011e7bce9a4d3..d8f8f82e97bae31e8d24263dee4dafe8d22e3d2b 100755 (executable)
--- a/bin/pveproxy
+++ b/bin/pveproxy
@@ -92,7 +92,7 @@ eval {
        logfile => '/var/log/pveproxy/access.log',
        lockfile => $lockfile,
        ssl => {
-           cipher_list => 'HIGH:MEDIUM:!aNULL:!MD5',
+           cipher_list => $proxyconf->{CIPHERS} || 'HIGH:MEDIUM:!aNULL:!MD5',
            key_file => '/etc/pve/local/pve-ssl.key',
            cert_file => '/etc/pve/local/pve-ssl.pem',
        },
@@ -288,6 +288,15 @@ The default policy is 'allow'.
  No match                   | deny        | allow
  Match Both Allow & Deny    | deny        | allow
 
+=head1 SSL Cipher Suite
+
+You can define the chiper list in /etc/default/pveproxy, for example
+
+ CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
+
+Above is the default. See the ciphers(1) man page from the openssl 
+package for list of all available options.
+
 =head1 FILES
 
  /etc/default/pveproxy