pveproxy - Disable weak SSL ciphers?

You can configure the cipher-list used by pveproxy (see https://pve.proxmox.com/pve-docs/pveproxy.8.html) - maybe this helps in your situation?

Do you have a use-case where the SSL_honor_cipher_order would improve security/usability over just being able to specify the ciphers?
 
Stoiko Ivanov said:
You can configure the cipher-list used by pveproxy (see https://pve.proxmox.com/pve-docs/pveproxy.8.html) - maybe this helps in your situation?

Do you have a use-case where the SSL_honor_cipher_order would improve security/usability over just being able to specify the ciphers?
Click to expand...

Hey,

Yeah thanks for having let the possibility to set it within our configuration, it's appreciated.

Typically, with a ciphers list as below (the best ones taken from cryptcheck. fr/ciphers) :

Code: 
CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256"

... Firefox would still choose the ECDHE-RSA-AES128-GCM-SHA256 one.

I think this case resumes the behavior well : If we want to offer a specific list to assure compatibility, the most secure one won't be chosen automatically, even if it could.
The SSL_honor_cipher_order would fix that !
 
Hi over here (and a happy new year to the team). Were you able to discuss this internally on your side ? Bye
 
Hi,
Happy new year as well!

Sorry that got a bit lost - could I ask you to open an feature-request at https://bugzilla.proxmox.com

However - also consider putting an full-fledged https-proxy/server in front of it (nginx, haproxy, ...) - there you usually get all the TLS-knobs should you need them.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back