pveproxy - Disable weak SSL ciphers?

You can configure the cipher-list used by pveproxy (see https://pve.proxmox.com/pve-docs/pveproxy.8.html) - maybe this helps in your situation?

Do you have a use-case where the SSL_honor_cipher_order would improve security/usability over just being able to specify the ciphers?
 
Stoiko Ivanov said:
You can configure the cipher-list used by pveproxy (see https://pve.proxmox.com/pve-docs/pveproxy.8.html) - maybe this helps in your situation?

Do you have a use-case where the SSL_honor_cipher_order would improve security/usability over just being able to specify the ciphers?
Click to expand...

Hey,

Yeah thanks for having let the possibility to set it within our configuration, it's appreciated.

Typically, with a ciphers list as below (the best ones taken from cryptcheck. fr/ciphers) :

Code: 
CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"

... Firefox would still choose the ECDHE-RSA-AES128-GCM-SHA256 one.

I think this case resumes the behavior well : If we want to offer a specific list to assure compatibility, the most secure one won't be chosen automatically, even if it could.
The SSL_honor_cipher_order would fix that !
 
Hi over here (and a happy new year to the team). Were you able to discuss this internally on your side ? Bye
 
Hi,
Happy new year as well!

Sorry that got a bit lost - could I ask you to open an feature-request at https://bugzilla.proxmox.com

However - also consider putting an full-fledged https-proxy/server in front of it (nginx, haproxy, ...) - there you usually get all the TLS-knobs should you need them.
 
You must log in or register to reply here.
Top Bottom