like the TLS <= 1.2 cipher list, but needs a different option since the
format and values are incompatible. AnyEvent doesn't yet handle this
directly like the cipher list, so set it directly on the context.
requires corresponding patch in pve-manager (which reads the config, and
passes relevant parts back to the API server).
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Tested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Reviewed-by: Stoiko Ivanov <s.ivanov@proxmox.com>
honor_cipher_order => 1,
};
+ # workaround until anyevent supports TLS 1.3 ciphersuites directly
+ my $ciphersuites = delete $self->{ssl}->{ciphersuites};
+
foreach my $k (keys %$ssl_defaults) {
$self->{ssl}->{$k} //= $ssl_defaults->{$k};
}
$self->{tls_ctx} = AnyEvent::TLS->new(%{$self->{ssl}});
Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, $tls_ctx_flags);
+ Net::SSLeay::CTX_set_ciphersuites($self->{tls_ctx}->{ctx}, $ciphersuites) if defined($ciphersuites);
}
if ($self->{spiceproxy}) {
$shcmd .= 'echo \"DENY_FROM:\$DENY_FROM\";';
$shcmd .= 'echo \"POLICY:\$POLICY\";';
$shcmd .= 'echo \"CIPHERS:\$CIPHERS\";';
+ $shcmd .= 'echo \"CIPHERSUITES:\$CIPHERSUITES\";';
$shcmd .= 'echo \"DHPARAMS:\$DHPARAMS\";';
$shcmd .= 'echo \"HONOR_CIPHER_ORDER:\$HONOR_CIPHER_ORDER\";';
$shcmd .= 'echo \"COMPRESSION:\$COMPRESSION\";';
$res->{$key} = $value;
} elsif ($key eq 'CIPHERS') {
$res->{$key} = $value;
+ } elsif ($key eq 'CIPHERSUITES') {
+ $res->{$key} = $value;
} elsif ($key eq 'DHPARAMS') {
$res->{$key} = $value;
} elsif ($key eq 'HONOR_CIPHER_ORDER' || $key eq 'COMPRESSION') {