Limit access to specific CA or SSL cert

[belcloud]

Hello

Would it be possible to add an option to drop the connection if the proxmox's ssl certificate is not a specific one or does not belong to a specific CA?
Because if it accepts proxmox's self-signed certificate, it will accept any certificate in the case of a mitm attack.

Thank you

[zzantares]

Mmm well, right now you can supply your own Http client instance to the Proxmox constructor as an extra parameter, but now I notice this feature is undocumented. But in theory you can make your own Guzzle client with the cert option set.

But yes, I think it could be added as a convenience (although I don't do PHP anymore), how would you think this should be handled?

[belcloud]

If guzzle can handle such, i think it should force the connection to use a specific certificate when connecting to the host. The certificate could be added as a file or as string in PEM format. I would see no problem with using a single certificate on all the proxmox clusters.
Alternatively, add a new CA and invalidate all the system/predefined CAs.