Revert "tls: make dh to openssl 1.1 compatible"

The libanyevent-perl version 7.140-3 included a fix for this.
It migrated to the then still testing (buster was not yet released)
on 07.04.2019, and so we can safely revert this workaround again
here.

Albeit this was fixed since Buster was officially released, still
bump the version dependency to libanyevent-perl in debian/control.

A future libanyevent-perl will use "ffdhe3072" for DH; another good
reason to revert this, to not keep hardcoded parameters with possible
(future) security implications here.

[0]: https://tracker.debian.org/news/1037514/libanyevent-perl-7140-3-migrated-to-testing/

This reverts commit ea574439f76bb3914b8b8c0be8e40ee826c95afc.

Signed-off-by: Thomas Lamprecht <t.lamprecht@proxmox.com>

diff --git a/PVE/APIServer/AnyEvent.pm b/PVE/APIServer/AnyEvent.pm
index 9aba27d45037bc0c614dbcefba762aba69e96584..539a15616c6c409005969f462d9881a74ba63254 100644 (file)
--- a/PVE/APIServer/AnyEvent.pm
+++ b/PVE/APIServer/AnyEvent.pm
@@ -591,9 +591,6 @@ sub proxy_request {
            sslv2 => 0,
            sslv3 => 0,
            verify => 1,
-           # be compatible with openssl 1.1, fix for debian bug #923615
-           # remove once libanyeven-perl with this fix transitions to buster
-           dh => 'schmorp2048',
            verify_cb => sub {
                my (undef, undef, undef, $depth, undef, undef, $cert) = @_;
                # we don't care about intermediate or root certificates

diff --git a/debian/control b/debian/control
index a784039d06dd6be76bf4dbafe42afb53534f9f03..b1409e4b7b5a12f3906245b0e570ba4abd98374e 100644 (file)
--- a/debian/control
+++ b/debian/control
@@ -11,7 +11,7 @@ Homepage: https://www.proxmox.com
 Package: libpve-http-server-perl
 Architecture: all
 Depends: libanyevent-http-perl,
-         libanyevent-perl,
+         libanyevent-perl (>= 7.140-3),
          libcrypt-ssleay-perl,
          libhtml-parser-perl,
          libhttp-date-perl,