From e90224850758bcce41e2fe6eac671eab518f558d Mon Sep 17 00:00:00 2001 From: =?utf8?q?Fabian=20Gr=C3=BCnbichler?= Date: Fri, 17 Dec 2021 13:57:29 +0100 Subject: [PATCH] fix #3789: allow disabling TLS v1.2/v1.3 MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit SSL 2 and 3 are already disabled by default by us, and TLS 1.1 and below are disabled by default on Debian systems. requires corresponding patch in pve-manager to have an effect. Signed-off-by: Fabian Grünbichler Tested-by: Stoiko Ivanov Reviewed-by: Stoiko Ivanov --- src/PVE/APIServer/AnyEvent.pm | 5 +++++ src/PVE/APIServer/Utils.pm | 11 ++++++++++- 2 files changed, 15 insertions(+), 1 deletion(-) diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm index f6edece..9a40f31 100644 --- a/src/PVE/APIServer/AnyEvent.pm +++ b/src/PVE/APIServer/AnyEvent.pm @@ -1908,6 +1908,11 @@ sub new { if (delete $self->{ssl}->{honor_cipher_order}) { $tls_ctx_flags |= &Net::SSLeay::OP_CIPHER_SERVER_PREFERENCE; } + # workaround until anyevent supports disabling TLS 1.3 directly + if (exists($self->{ssl}->{tlsv1_3}) && !$self->{ssl}->{tlsv1_3}) { + $tls_ctx_flags |= &Net::SSLeay::OP_NO_TLSv1_3; + } + $self->{tls_ctx} = AnyEvent::TLS->new(%{$self->{ssl}}); Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, $tls_ctx_flags); diff --git a/src/PVE/APIServer/Utils.pm b/src/PVE/APIServer/Utils.pm index 2ec2dad..5728d97 100644 --- a/src/PVE/APIServer/Utils.pm +++ b/src/PVE/APIServer/Utils.pm @@ -24,11 +24,20 @@ sub read_proxy_config { $shcmd .= 'echo \"TLS_KEY_FILE:\$TLS_KEY_FILE\";'; $shcmd .= 'echo \"HONOR_CIPHER_ORDER:\$HONOR_CIPHER_ORDER\";'; $shcmd .= 'echo \"COMPRESSION:\$COMPRESSION\";'; + $shcmd .= 'echo \"DISABLE_TLS_1_2:\$DISABLE_TLS_1_2\";'; + $shcmd .= 'echo \"DISABLE_TLS_1_3:\$DISABLE_TLS_1_3\";'; my $data = -f $conffile ? `bash -c "$shcmd"` : ''; my $res = {}; + my $boolean_options = [ + 'HONOR_CIPHER_ORDER', + 'COMPRESSION', + 'DISABLE_TLS_1_2', + 'DISABLE_TLS_1_3', + ]; + while ($data =~ s/^(.*)\n//) { my ($key, $value) = split(/:/, $1, 2); next if !defined($value) || $value eq ''; @@ -56,7 +65,7 @@ sub read_proxy_config { $res->{$key} = $value; } elsif ($key eq 'TLS_KEY_FILE') { $res->{$key} = $value; - } elsif ($key eq 'HONOR_CIPHER_ORDER' || $key eq 'COMPRESSION') { + } elsif (grep { $key eq $_ } @$boolean_options) { die "unknown value '$value' - use 0 or 1\n" if $value !~ m/^(0|1)$/; $res->{$key} = $value; } else { -- 2.39.5