There are currently 3 slightly different implementations of the openssl verify callback in place. They differ in how an explicit fingerprint would be checked:
* pbs-client: if verification was on, a valid certificate would trump a wrong epxlicit fingerprint * proxmox-websocket-tunnel: if an explicit fingerprint was given, it was checked, regardless of the openssl result * proxmox-client: the openssl validity had priority as in pbs-client, but the fingerprint was not checked against the leaf certificate, but agains all certificates in the chain (which would lead to false negatives). Note that this is currently only used in PDM This series aims to unify the general behavior, but design the interface to be flexible enought to accomodate the different call sites needs. I included the change of features for crates, but they have to be bumped before hand of course and the version must be changed in Cargo.toml. (if I should send that differently, please do tell how it should be done) Since that is technically a breaking change for PBS, we should only change that for the next major release. Also, since it rather deep in the stack for PBS (remotes sync, etc.) and PVE (remote migration) IMHO this is a series that should be tested very well. Further work could be to unify this behavior for our perl clients too, but it seemed out of scope for this series. (notably the PVE::APIClient and the client used in the SDN code) I tried to implement some tests, but due to the openssl interface this seems to be not really possible, except if we'd start a server + client in the tests (which seems overkill). But if anyone has an idea how we could test this code (and i mean not only it's interface, but the openssl connection behavior), I'd be glad. changes from v1: * rebase on master (drops one patch) * drop hex dependency proxmox: Dominik Csapak (2): http: factor out openssl verification callback client: use proxmox-http's openssl verification callback Cargo.toml | 1 + proxmox-client/Cargo.toml | 2 +- proxmox-client/src/client.rs | 48 ++++----------------- proxmox-http/Cargo.toml | 5 +++ proxmox-http/src/lib.rs | 5 +++ proxmox-http/src/tls.rs | 84 ++++++++++++++++++++++++++++++++++++ proxmox-openid/Cargo.toml | 2 +- 7 files changed, 105 insertions(+), 42 deletions(-) create mode 100644 proxmox-http/src/tls.rs proxmox-backup: Dominik Csapak (1): pbs-client: use proxmox-https openssl callback Cargo.toml | 2 +- pbs-client/src/http_client.rs | 151 ++++++++++++++-------------------- 2 files changed, 62 insertions(+), 91 deletions(-) proxmox-websocket-tunnel: Dominik Csapak (1): use proxmox-http's openssl callback Cargo.toml | 3 +-- src/main.rs | 67 +++++++++++++++++++++-------------------------------- 2 files changed, 28 insertions(+), 42 deletions(-) Summary over all repositories: 11 files changed, 195 insertions(+), 175 deletions(-) -- Generated by git-murpp 0.8.1 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
