oss-security - nginx http proxy module does not verify peer identity of https origin server

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Message-ID: <50E5A574.6040809@fifthhorseman.net>
Date: Thu, 03 Jan 2013 10:36:20 -0500
From: Daniel Kahn Gillmor <dkg@...thhorseman.net>
To: oss-security@...ts.openwall.com, nginx-devel@...nx.org
Subject: nginx http proxy module does not verify peer identity of https origin
 server

nginx offers the ability for its http proxy module to talk to an origin
server over https.  However, it does not verify the identity of the
origin server in this case, which leaves it subject to MITM attacks
between the proxy and the origin server.

Sadly, this appears to be unfixed for over a year after it was first
reported:

 http://trac.nginx.org/nginx/ticket/13

some patch review starts over here, but doesn't seem to reach any
resolution:

 http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001182.html

As far as i can tell, there is no CVE assigned for this yet.

	--dkg

Download attachment "signature.asc" of type "application/pgp-signature" (1028 bytes)

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.