Re: nginx http proxy module does not verify peer identity of https origin server

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/03/2013 08:36 AM, Daniel Kahn Gillmor wrote:
> nginx offers the ability for its http proxy module to talk to an
> origin server over https.  However, it does not verify the identity
> of the origin server in this case, which leaves it subject to MITM
> attacks between the proxy and the origin server.
>
> Sadly, this appears to be unfixed for over a year after it was
> first reported:
>
> http://trac.nginx.org/nginx/ticket/13
>
> some patch review starts over here, but doesn't seem to reach any 
> resolution:
>
> http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001182.html
>
>  As far as i can tell, there is no CVE assigned for this yet.
>
> --dkg

Yup. Please use CVE-2011-4968 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ5dBKAAoJEBYNRVNeJnmTk10P/RUE7xS+vKvTitanyBfK88OZ
rApBQlDm0v4yFQw3Wr9YZRAOWcla8aiaGe9txK1t2NzHRcKtv4kidXk4VtbfG3El
LGdourO0zi2Z3Vho48p/OkeVzpTr0eGNPduiJQdDmbD1M0ngmM5CCFxfpCf9hUb8
1Ph8ZZsVhcvbxhKA6zOtKUVHi8LX+EUdF4XzNPP59gx0UHQhIiLfElbmz4wLoPuN
p8xLnzEia94VGlFYVWxET34RL8V4uljaGsHIKZOOcFGSrPofzvipnyowfoRVB5dG
YmNtnWGihpC+Bp54YD81ItsI99TtPCjQfdrUQW6qkdZivMP+SQSqwhc/QZLe7jsI
/ATkfp28QRTi5fYvJpwAJUo4L6+bXYz4dMa5F3IdZyxBfqGxzwuvf6i4dobYyDnU
fgtd7H1KbyxGZojNiA5MzY5WCdZYIqjbfrOo2M+maYVrAC/deqEZ8R5JJEK8vhYt
mfPYs+49Qj8k8aC0AJPC3djbnh6odcG76gcyouweXvSMpPsYKi15Cxa1pmEnC2Ll
JmTaAvj6MhKviaJekROjBDnPe4g3VNOjPykfN0O9564f3IBWtsgLFN1NmIrA/NvA
e/7ndDg2JM8sJm3y23gjH14jxyDRMSAn1Bn8WiFX6F3O9WHz7dmImMX4LHEjx94I
DCv+ThLcl5lpyFQ5UO3m
=/tAU
-----END PGP SIGNATURE-----