This patchset fixes #2069 - requesting to let pveproxy prefer its own configured ciphers to the ones presented by the client. This is generally considered good practice w.r.t. TLS configurations - see e.g. [0].
While testing with testssl.sh [1] I though that it would be nice to provide users a switch for disabling http-compression (also considered good practice due to BREACH [2]), which was done in a separate patch (per repository). I'd suggest to add this to pmgproxy as well (but will send the necessary preparations separately). [0] https://cipherli.st/ [1] https://testssl.sh/ [2] https://en.wikipedia.org/wiki/BREACH pve-manager: Stoiko Ivanov (3): fix typo in comment (ssl-config) pveproxy: add configurable HONOR_CIPHER_ORDER pveproxy: add configurable COMPRESSION PVE/API2Tools.pm | 7 ++++++- PVE/Service/pveproxy.pm | 4 +++- 2 files changed, 9 insertions(+), 2 deletions(-) pve-http-server: Stoiko Ivanov (2): Add configurable 'honor_cipher_order' Add configurable 'compression' PVE/APIServer/AnyEvent.pm | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) -- 2.11.0 _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
