nginx http proxy module does not verify peer identity of https origin server

[Daniel Kahn Gillmor <dkg () fifthhorseman net>]

nginx offers the ability for its http proxy module to talk to an origin
server over https.  However, it does not verify the identity of the
origin server in this case, which leaves it subject to MITM attacks
between the proxy and the origin server.

Sadly, this appears to be unfixed for over a year after it was first
reported:

 http://trac.nginx.org/nginx/ticket/13

some patch review starts over here, but doesn't seem to reach any
resolution:

 http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001182.html

As far as i can tell, there is no CVE assigned for this yet.

        --dkg

Attachment: signature.asc
Description: OpenPGP digital signature