oss-sec mailing list archives
nginx http proxy module does not verify peer identity of https origin server
From: Daniel Kahn Gillmor <dkg () fifthhorseman net>
Date: Thu, 03 Jan 2013 10:36:20 -0500
nginx offers the ability for its http proxy module to talk to an origin server over https. However, it does not verify the identity of the origin server in this case, which leaves it subject to MITM attacks between the proxy and the origin server. Sadly, this appears to be unfixed for over a year after it was first reported: http://trac.nginx.org/nginx/ticket/13 some patch review starts over here, but doesn't seem to reach any resolution: http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001182.html As far as i can tell, there is no CVE assigned for this yet. --dkg
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- nginx http proxy module does not verify peer identity of https origin server Daniel Kahn Gillmor (Jan 03)
- Re: nginx http proxy module does not verify peer identity of https origin server Kurt Seifried (Jan 03)