Add DHPARAMS option in /etc/default/pveproxy
If set, Diffie-Hellman parameters in PEM format are loaded from the given path. Otherwise, the built-in 'skip2048' group is used. Also fix some typos in the man page. Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
This commit is contained in:
Fabian Grünbichler
Dietmar Maurer
parent
8e0e6561c5
commit
d6f3df4562
@ -210,6 +210,7 @@ sub read_proxy_config {
|
||||
$shcmd .= 'echo \"DENY_FROM:\$DENY_FROM\";';
|
||||
$shcmd .= 'echo \"POLICY:\$POLICY\";';
|
||||
$shcmd .= 'echo \"CIPHERS:\$CIPHERS\";';
|
||||
$shcmd .= 'echo \"DHPARAMS:\$DHPARAMS\";';
|
||||
|
||||
my $data = -f $conffile ? `bash -c "$shcmd"` : '';
|
||||
|
||||
@ -230,6 +231,8 @@ sub read_proxy_config {
|
||||
$res->{$key} = $value;
|
||||
} elsif ($key eq 'CIPHERS') {
|
||||
$res->{$key} = $value;
|
||||
} elsif ($key eq 'DHPARAMS') {
|
||||
$res->{$key} = $value;
|
||||
} else {
|
||||
# silently skip everythin else?
|
||||
}
|
||||
|
||||
@ -114,7 +114,6 @@ sub init {
|
||||
cipher_list => $proxyconf->{CIPHERS} || 'HIGH:MEDIUM:!aNULL:!MD5',
|
||||
key_file => '/etc/pve/local/pve-ssl.key',
|
||||
cert_file => '/etc/pve/local/pve-ssl.pem',
|
||||
dh => 'skip2048',
|
||||
},
|
||||
# Note: there is no authentication for those pages and dirs!
|
||||
pages => {
|
||||
@ -126,6 +125,12 @@ sub init {
|
||||
},
|
||||
dirs => $dirs,
|
||||
};
|
||||
|
||||
if ($proxyconf->{DHPARAMS}) {
|
||||
$self->{server_config}->{ssl}->{dh_file} = $proxyconf->{DHPARAMS};
|
||||
} else {
|
||||
$self->{server_config}->{ssl}->{dh} = 'skip2048';
|
||||
}
|
||||
}
|
||||
|
||||
sub run {
|
||||
@ -242,7 +247,7 @@ from file /etc/default/pveproxy. For example:
|
||||
DENY_FROM="all"
|
||||
POLICY="allow"
|
||||
|
||||
IP addresses can be specified using any syntax understoop by Net::IP. The
|
||||
IP addresses can be specified using any syntax understood by Net::IP. The
|
||||
name 'all' is an alias for '0/0'.
|
||||
|
||||
The default policy is 'allow'.
|
||||
@ -256,12 +261,25 @@ The default policy is 'allow'.
|
||||
|
||||
=head1 SSL Cipher Suite
|
||||
|
||||
You can define the chiper list in /etc/default/pveproxy, for example
|
||||
You can define the cipher list in /etc/default/pveproxy, for example
|
||||
|
||||
CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
|
||||
|
||||
Above is the default. See the ciphers(1) man page from the openssl
|
||||
package for list of all available options.
|
||||
package for a list of all available options.
|
||||
|
||||
=head1 Diffie-Hellman Parameters
|
||||
|
||||
You can define the used Diffie-Hellman parameters in /etc/default/pveproxy
|
||||
by setting DHPARAMS to the path of a file containing DH parameters in PEM
|
||||
format, for example
|
||||
|
||||
DHPARAMS="/path/to/dhparams.pem"
|
||||
|
||||
If this option is not set, the built-in 'skip2048' parameters will be used.
|
||||
|
||||
Note: DH parameters are only used if a cipher suite utilizing the DH key
|
||||
exchange algorithm is negotiated.
|
||||
|
||||
=head1 FILES
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user