we check different key sizes for RSA (2048) vs ECC (224) but the logs/error always wrote '2048' which can be confusing if ECC keys are used, for example:
PASS: Certificate 'pveproxy-ssl.pem' passed Debian Busters (and newer) security level for TLS connections (256 >= 2048) Use the actual size and type we check against in the log/error so reduce confusion. The new log line is then: PASS: Certificate 'pveproxy-ssl.pem' passed Debian Busters (and newer) security level for TLS connections (256 >= 224 ECC) Signed-off-by: Dominik Csapak <[email protected]> --- this is based on master, but should be cleanly cherry-pickable on stable-8 currently PVE/CLI/pve8to9.pm | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/PVE/CLI/pve8to9.pm b/PVE/CLI/pve8to9.pm index 5a22c229..0c4b2343 100644 --- a/PVE/CLI/pve8to9.pm +++ b/PVE/CLI/pve8to9.pm @@ -2257,12 +2257,16 @@ sub check_misc { next; } - if ($size < $check->{minsize}) { - log_fail("'$fn', certificate's $check->{name} public key size is less than 2048 bit"); + my $min_size = $check->{minsize}; + my $name = $check->{name}; + if ($size < $min_size) { + log_fail( + "'$fn', certificate's $check->{name} public key size is less than $min_size bit for $name" + ); $certs_check_failed = 1; } else { log_pass( - "Certificate '$fn' passed Debian Busters (and newer) security level for TLS connections ($size >= 2048)" + "Certificate '$fn' passed Debian Busters (and newer) security level for TLS connections ($size >= $min_size $name)" ); } } -- 2.47.3 _______________________________________________ pve-devel mailing list [email protected] https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
