Disable TLS 1.0 & 1.1

[Xela]

Dear Forum

What is the proper way to disable TLS 1.0 & TLS 1.1 for PVEProxy (port 8006) ?

Best regards

 

[TheFuzzyFish]

I'm not sure that there is a solid way to do this, but there is a reliable workaround.
If you install the Nginx (a web server), you can make a reverse proxy over a standard HTTP connection. Here is a vhost configuration that should be pretty plug-and-play for the purpose you describe, except that you'd have to connect to the new port instead of 8006 (in this case, I used the standard HTTP port 80):

server {
    listen 80 default_server;
    server_name _;
    proxy_redirect off;
    location / {
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_pass https://127.0.0.1:8006;
        proxy_buffering off;
        client_max_body_size 0;
        proxy_connect_timeout  3600s;
        proxy_read_timeout  3600s;
        proxy_send_timeout  3600s;
        send_timeout  3600s;
    }
}

To be clear, after installing Nginx, you'd need to copy that code into /etc/nginx/sites-enabled/FilenameOfYourChoice.conf
Also ensure that you deleted the default configuration located in /etc/nginx/sites-enabled so that the new configuration has full control over port 80.


Hope this helps!

 

[Stoiko Ivanov]

I just recently tested pveproxy with testssl.sh (https://testssl.sh/) and it said, that TLS1.0, TLS1.1 are not available (probably due to the cipherlist selection in the default config, since the last update)

Do you run the latest packages? (pveversion -v)
Where do you see that TLS1.0/1.1 are still offered?