fix #3789: allow disabling TLS v1.2/v1.3

SSL 2 and 3 are already disabled by default by us, and TLS 1.1 and below
are disabled by default on Debian systems.

requires corresponding patch in pve-manager to have an effect.

Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
Tested-by: Stoiko Ivanov <s.ivanov@proxmox.com>
Reviewed-by: Stoiko Ivanov <s.ivanov@proxmox.com>

diff --git a/src/PVE/APIServer/AnyEvent.pm b/src/PVE/APIServer/AnyEvent.pm
index f6edecebb9233baa4b12bb6621479cd9b8fc7dbc..9a40f31ee5855caf42d0e46e72418bdb58c0ce1b 100644 (file)
--- a/src/PVE/APIServer/AnyEvent.pm
+++ b/src/PVE/APIServer/AnyEvent.pm
@@ -1908,6 +1908,11 @@ sub new {
        if (delete $self->{ssl}->{honor_cipher_order}) {
            $tls_ctx_flags |= &Net::SSLeay::OP_CIPHER_SERVER_PREFERENCE;
        }
+       # workaround until anyevent supports disabling TLS 1.3 directly
+       if (exists($self->{ssl}->{tlsv1_3}) && !$self->{ssl}->{tlsv1_3}) {
+           $tls_ctx_flags |= &Net::SSLeay::OP_NO_TLSv1_3;
+       }
+
 
        $self->{tls_ctx} = AnyEvent::TLS->new(%{$self->{ssl}});
        Net::SSLeay::CTX_set_options($self->{tls_ctx}->{ctx}, $tls_ctx_flags);

diff --git a/src/PVE/APIServer/Utils.pm b/src/PVE/APIServer/Utils.pm
index 2ec2dad01cfa568c6741032e25923b88ddcd9654..5728d97a9babee00c14b2bb67428466058091606 100644 (file)
--- a/src/PVE/APIServer/Utils.pm
+++ b/src/PVE/APIServer/Utils.pm
@@ -24,11 +24,20 @@ sub read_proxy_config {
     $shcmd .= 'echo \"TLS_KEY_FILE:\$TLS_KEY_FILE\";';
     $shcmd .= 'echo \"HONOR_CIPHER_ORDER:\$HONOR_CIPHER_ORDER\";';
     $shcmd .= 'echo \"COMPRESSION:\$COMPRESSION\";';
+    $shcmd .= 'echo \"DISABLE_TLS_1_2:\$DISABLE_TLS_1_2\";';
+    $shcmd .= 'echo \"DISABLE_TLS_1_3:\$DISABLE_TLS_1_3\";';
 
     my $data = -f $conffile ? `bash -c "$shcmd"` : '';
 
     my $res = {};
 
+    my $boolean_options = [
+       'HONOR_CIPHER_ORDER',
+       'COMPRESSION',
+       'DISABLE_TLS_1_2',
+       'DISABLE_TLS_1_3',
+    ];
+
     while ($data =~ s/^(.*)\n//) {
        my ($key, $value) = split(/:/, $1, 2);
        next if !defined($value) || $value eq '';
@@ -56,7 +65,7 @@ sub read_proxy_config {
            $res->{$key} = $value;
        } elsif ($key eq 'TLS_KEY_FILE') {
            $res->{$key} = $value;
-       } elsif ($key eq 'HONOR_CIPHER_ORDER' || $key eq 'COMPRESSION') {
+       } elsif (grep { $key eq $_ } @$boolean_options) {
            die "unknown value '$value' - use 0 or 1\n" if $value !~ m/^(0|1)$/;
            $res->{$key} = $value;
        } else {