Context
All v1 Proxmox calls disable TLS verification (httpx.AsyncClient(verify=False, ...)), sending the PVEAPIToken over an unverified connection — an on-path attacker can impersonate the node and harvest the token.
Affected: app/routes/v1/proxmox/vms.py, app/routes/v1/proxmox/hosts.py, app/routes/v1/health.py, app/routes/v1/deployments/preflight.py.
What
- Add
ssl_fingerprint (SHA-256) to the ProxmoxHost model + HostIn/HostOut schemas. Proxmox exposes it at /api2/json/nodes/{node} (ssl_fingerprint).
- Verify the peer cert fingerprint via a custom SSL context / httpx transport instead of
verify=False.
- Optional: per-host CA bundle path; only fall back to insecure behind an explicit
allow_insecure_tls flag.
Acceptance
- v1 Proxmox calls validate the cert (fingerprint pin or CA), no blanket
verify=False.
- Mismatch → clean
502/auth error, not a silent connect.
Risk: Medium (behind Kong on a trusted mgmt network today; High on an untrusted segment).
Context
All v1 Proxmox calls disable TLS verification (
httpx.AsyncClient(verify=False, ...)), sending thePVEAPITokenover an unverified connection — an on-path attacker can impersonate the node and harvest the token.Affected:
app/routes/v1/proxmox/vms.py,app/routes/v1/proxmox/hosts.py,app/routes/v1/health.py,app/routes/v1/deployments/preflight.py.What
ssl_fingerprint(SHA-256) to theProxmoxHostmodel +HostIn/HostOutschemas. Proxmox exposes it at/api2/json/nodes/{node}(ssl_fingerprint).verify=False.allow_insecure_tlsflag.Acceptance
verify=False.502/auth error, not a silent connect.Risk: Medium (behind Kong on a trusted mgmt network today; High on an untrusted segment).