Commit 787217cd authored by Dietmar Maurer's avatar Dietmar Maurer

allow to configure cipher list for pveproxy

parent d7644255
......@@ -201,6 +201,7 @@ sub read_proxy_config {
$shcmd .= 'echo \"ALLOW_FROM:\$ALLOW_FROM\";';
$shcmd .= 'echo \"DENY_FROM:\$DENY_FROM\";';
$shcmd .= 'echo \"POLICY:\$POLICY\";';
$shcmd .= 'echo \"CIPHERS:\$CIPHERS\";';
my $data = -f $conffile ? `bash -c "$shcmd"` : '';
......@@ -218,6 +219,8 @@ sub read_proxy_config {
} elsif ($key eq 'POLICY') {
die "unknown policy '$value'\n" if $value !~ m/^(allow|deny)$/;
$res->{$key} = $value;
} elsif ($key eq 'CIPHERS') {
$res->{$key} = $value;
} else {
# silently skip everythin else?
}
......
......@@ -92,7 +92,7 @@ eval {
logfile => '/var/log/pveproxy/access.log',
lockfile => $lockfile,
ssl => {
cipher_list => 'HIGH:MEDIUM:!aNULL:!MD5',
cipher_list => $proxyconf->{CIPHERS} || 'HIGH:MEDIUM:!aNULL:!MD5',
key_file => '/etc/pve/local/pve-ssl.key',
cert_file => '/etc/pve/local/pve-ssl.pem',
},
......@@ -288,6 +288,15 @@ The default policy is 'allow'.
No match | deny | allow
Match Both Allow & Deny | deny | allow
=head1 SSL Cipher Suite
You can define the chiper list in /etc/default/pveproxy, for example
CIPHERS="HIGH:MEDIUM:!aNULL:!MD5"
Above is the default. See the ciphers(1) man page from the openssl
package for list of all available options.
=head1 FILES
/etc/default/pveproxy
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment