tiny nit inline: On Fri, 17 Dec 2021 13:57:33 +0100 Fabian Grünbichler <f.gruenbich...@proxmox.com> wrote:
> Signed-off-by: Fabian Grünbichler <f.gruenbich...@proxmox.com> > --- > pveproxy.adoc | 30 +++++++++++++++++++++++++++++- > 1 file changed, 29 insertions(+), 1 deletion(-) > > diff --git a/pveproxy.adoc b/pveproxy.adoc > index 4696d66..8fc6195 100644 > --- a/pveproxy.adoc > +++ b/pveproxy.adoc > @@ -117,9 +117,11 @@ effect. > SSL Cipher Suite > ---------------- > > -You can define the cipher list in `/etc/default/pveproxy`, for example > +You can define the cipher list in `/etc/default/pveproxy` via the `CIPHERS` > +(TLS <= 1.2) and `CIPHERSUITES` (TLS >= 1.3) keys. For example > > > CIPHERS="ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256" > + > CIPHERSUITES="TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256" > > Above is the default. See the ciphers(1) man page from the openssl > package for a list of all available options. > @@ -131,6 +133,25 @@ both client and `pveproxy`): > HONOR_CIPHER_ORDER=0 > > > +Supported TLS versions > +---------------------- > + > +The insecure SSL versions 2 and 3 are unconditionally disabled for pveproxy. > +TLS versions below 1.1 are disabled by default on recent OpenSSL versions, > +which is honored by `pveproxy` (see `/etc/ssl/openssl.cnf`). > + > +To disable TLS version 1.2 or 1.3, set the following in > `/etc/default/pveproxy`: > + > + DISABLE_TLS_1_2=1 > + > +or, respectively: > + > + DISABLE_TLS_1_3=1 > + > +NOTE: Unless there is a specific reason to do so, it is not recommended to > +manually adjust the supported TLS versions. > + > + > Diffie-Hellman Parameters > ------------------------- > > @@ -157,6 +178,13 @@ pveproxy uses `/etc/pve/local/pveproxy-ssl.pem` and > `/etc/pve/local/pve-ssl.pem` and `/etc/pve/local/pve-ssl.key`. > The private key may not use a passphrase. > > +It is possible to override the location of the certificate private key by maybe add a `(/etc/pve/local/pveproxy-ssl.key)` here to avoid confusion afaicu - overriding works only for pveproxy-ssl.pem > +setting `TLS_KEY_FILE` in `/etc/default/pveproxy`, for example: > + > + TLS_KEY_FILE="/secrets/pveproxy.key" > + > +NOTE: The included ACME integration does not honor this setting. > + > See the Host System Administration chapter of the documentation for details. > > COMPRESSION _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
