config: add tls ciphers to NodeConfig
for TLS 1.3 and for TLS <= 1.2 Signed-off-by: Hannes Laimer <h.laimer@proxmox.com>
This commit is contained in:
Hannes Laimer
Fabian Grünbichler
parent
8ad9eb779e
commit
1ec7f7e6f2
|
|
@ -99,6 +99,20 @@ mod local_macros {
|
|||
macro_rules! DNS_ALIAS_NAME {
|
||||
() => (concat!(r"(?:(?:", DNS_ALIAS_LABEL!() , r"\.)*", DNS_ALIAS_LABEL!(), ")"))
|
||||
}
|
||||
macro_rules! OPENSSL_CIPHERSUITE_RE {
|
||||
() => (
|
||||
r"TLS_AES_256_GCM_SHA384|TLS_CHACHA20_POLY1305_SHA256|TLS_AES_128_GCM_SHA256|TLS_AES_128_CCM_8_SHA256|TLS_AES_128_CCM_SHA256"
|
||||
)
|
||||
}
|
||||
macro_rules! OPENSSL_CIPHER_STRING_RE {
|
||||
() => (concat!(
|
||||
r"([!\-+]?(COMPLEMENTOFDEFAULT|ALL|COMPLEMENTOFALL|HIGH|MEDIUM|LOW|[ae]?NULL|[ka]?RSA|",
|
||||
"kDH[rdE]?|kEDH|DHE?|EDH|ADH|kEECDH|kECDHE|ECDH|ECDHE|EECDH|AECDH|a?DSS|aDH|a?ECDSA|",
|
||||
"SSLv3|AES(128|256)?|GCM|AESGCM|AESCCM|AESCCM8|ARIA(128|256)?|CAMELLIA(128|256)?|",
|
||||
"CHACHA20|3?DES|RC[24]|IDEA|SEED|MD5|SHA(1|256|384)?|aGOST(01)?|kGOST|GOST94|GOST89MAC|",
|
||||
"[ak]?PSK|kECDHEPSK|kDHEPSK|kRSAPSK|SUITEB(128|128ONLY|192)?|CBC3?|POLY1305))+"
|
||||
))
|
||||
}
|
||||
}
|
||||
|
||||
const_regex! {
|
||||
|
|
@ -123,6 +137,22 @@ const_regex! {
|
|||
|
||||
pub FINGERPRINT_SHA256_REGEX = r"^(?:[0-9a-fA-F][0-9a-fA-F])(?::[0-9a-fA-F][0-9a-fA-F]){31}$";
|
||||
|
||||
pub OPENSSL_CIPHERS_TLS_1_2_REGEX = concat!(
|
||||
r"^((",
|
||||
OPENSSL_CIPHER_STRING_RE!(),
|
||||
")([: ,](",
|
||||
OPENSSL_CIPHER_STRING_RE!(),
|
||||
"))*)$"
|
||||
);
|
||||
|
||||
pub OPENSSL_CIPHERS_TLS_1_3_REGEX = concat!(
|
||||
r"^((",
|
||||
OPENSSL_CIPHERSUITE_RE!(),
|
||||
")(:(",
|
||||
OPENSSL_CIPHERSUITE_RE!(),
|
||||
"))*)$"
|
||||
);
|
||||
|
||||
/// Regex for safe identifiers.
|
||||
///
|
||||
/// This
|
||||
|
|
@ -159,6 +189,9 @@ pub const BLOCKDEVICE_NAME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&B
|
|||
pub const SUBSCRIPTION_KEY_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&SUBSCRIPTION_KEY_REGEX);
|
||||
pub const SYSTEMD_DATETIME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&SYSTEMD_DATETIME_REGEX);
|
||||
pub const HOSTNAME_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&HOSTNAME_REGEX);
|
||||
pub const OPENSSL_CIPHERS_TLS_1_2_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&OPENSSL_CIPHERS_TLS_1_2_REGEX);
|
||||
pub const OPENSSL_CIPHERS_TLS_1_3_FORMAT: ApiStringFormat = ApiStringFormat::Pattern(&OPENSSL_CIPHERS_TLS_1_3_REGEX);
|
||||
|
||||
|
||||
pub const DNS_ALIAS_FORMAT: ApiStringFormat =
|
||||
ApiStringFormat::Pattern(&DNS_ALIAS_REGEX);
|
||||
|
|
@ -188,6 +221,14 @@ pub const HOSTNAME_SCHEMA: Schema = StringSchema::new("Hostname (as defined in R
|
|||
.format(&HOSTNAME_FORMAT)
|
||||
.schema();
|
||||
|
||||
pub const OPENSSL_CIPHERS_TLS_1_2_SCHEMA: Schema = StringSchema::new("OpenSSL cipher string list used by the proxy for TLS <= 1.2")
|
||||
.format(&OPENSSL_CIPHERS_TLS_1_2_FORMAT)
|
||||
.schema();
|
||||
|
||||
pub const OPENSSL_CIPHERS_TLS_1_3_SCHEMA: Schema = StringSchema::new("OpenSSL ciphersuites list used by the proxy for TLSv1.3")
|
||||
.format(&OPENSSL_CIPHERS_TLS_1_3_FORMAT)
|
||||
.schema();
|
||||
|
||||
pub const DNS_NAME_FORMAT: ApiStringFormat =
|
||||
ApiStringFormat::Pattern(&DNS_NAME_REGEX);
|
||||
|
||||
|
|
|
|||
|
|
@ -1,5 +1,6 @@
|
|||
use std::collections::HashSet;
|
||||
|
||||
use openssl::ssl::{SslAcceptor, SslMethod};
|
||||
use anyhow::{bail, Error};
|
||||
use serde::{Deserialize, Serialize};
|
||||
|
||||
|
|
@ -7,7 +8,7 @@ use proxmox_schema::{api, ApiStringFormat, ApiType, Updater};
|
|||
|
||||
use proxmox_http::ProxyConfig;
|
||||
|
||||
use pbs_api_types::EMAIL_SCHEMA;
|
||||
use pbs_api_types::{EMAIL_SCHEMA, OPENSSL_CIPHERS_TLS_1_2_SCHEMA, OPENSSL_CIPHERS_TLS_1_3_SCHEMA};
|
||||
use pbs_buildcfg::configdir;
|
||||
use pbs_config::{open_backup_lockfile, BackupLockGuard};
|
||||
|
||||
|
|
@ -91,6 +92,14 @@ pub struct AcmeConfig {
|
|||
schema: EMAIL_SCHEMA,
|
||||
optional: true,
|
||||
},
|
||||
"ciphers-tls13": {
|
||||
schema: OPENSSL_CIPHERS_TLS_1_3_SCHEMA,
|
||||
optional: true,
|
||||
},
|
||||
"ciphers-tls12": {
|
||||
schema: OPENSSL_CIPHERS_TLS_1_2_SCHEMA,
|
||||
optional: true,
|
||||
},
|
||||
},
|
||||
)]
|
||||
#[derive(Deserialize, Serialize, Updater)]
|
||||
|
|
@ -121,6 +130,14 @@ pub struct NodeConfig {
|
|||
|
||||
#[serde(skip_serializing_if = "Option::is_none")]
|
||||
pub email_from: Option<String>,
|
||||
|
||||
/// List of SSL ciphers for tls 1.3 that will be used by the proxy. (Proxy has to be restarted for changes to take effect)
|
||||
#[serde(skip_serializing_if = "Option::is_none")]
|
||||
pub ciphers_tls13: Option<String>,
|
||||
|
||||
/// List of SSL ciphers for tls <= 1.2 that will be used by the proxy. (Proxy has to be restarted for changes to take effect)
|
||||
#[serde(skip_serializing_if = "Option::is_none")]
|
||||
pub ciphers_tls12: Option<String>,
|
||||
}
|
||||
|
||||
impl NodeConfig {
|
||||
|
|
@ -172,6 +189,13 @@ impl NodeConfig {
|
|||
bail!("duplicate domain '{}' in ACME config", domain.domain);
|
||||
}
|
||||
}
|
||||
let mut dummy_acceptor = SslAcceptor::mozilla_intermediate_v5(SslMethod::tls()).unwrap();
|
||||
if let Some(ciphers) = self.ciphers_tls13.as_deref() {
|
||||
dummy_acceptor.set_ciphersuites(ciphers)?;
|
||||
}
|
||||
if let Some(ciphers) = self.ciphers_tls12.as_deref() {
|
||||
dummy_acceptor.set_cipher_list(ciphers)?;
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue