Skip to content
  • Silvio Rhatto's avatar
    187a94d9
    Fix: CRITICAL: upstream HTTPS certificate validation, and security model (#45) · 187a94d9
    Silvio Rhatto authored
    This commit fixes the recently found issue where upstream HTTPS
    certificates were not being properly validated by the Onionspray
    rewriting proxy.
    
    It introduces the per-project `nginx_proxy_ssl_trusted_certificate`
    configuration setting, which enables the certificate validation.
    
    This setting works exactly as NGINX's `proxy_ssl_trusted_certificate`
    setting, and expects a full file path "with trusted CA certificates in
    the PEM format used to verify the certificate of the proxied HTTPS
    server".
    
    When this setting is absent, or set to 0, Onionspray will produce a
    warning during the configuration stage, encouraging operators to enable
    it.
    
    Sadly, this setting is not enabled by default, since there's no way to
    determine in advance which file the operator should use. In Debian-like
    systems, the `ca-certificates` package manages the
    `/etc/ssl/certs/ca-certificates.crt`, which contains many CA certificates
    and that should work for most cases. But in general, operators will need
    to figure out which file to use and how to best manage it.
    
    The fix was also backported to EOTK, and the patch is available as an
    attachment on issue #45.
    
    This vulnerability was discovered while writing a concise security
    analysis/model for Onionspray, which is also included in this commit.
    
    See also
    #45
    
    Closes #45.
    187a94d9
    Fix: CRITICAL: upstream HTTPS certificate validation, and security model (#45)
    Silvio Rhatto authored
    This commit fixes the recently found issue where upstream HTTPS
    certificates were not being properly validated by the Onionspray
    rewriting proxy.
    
    It introduces the per-project `nginx_proxy_ssl_trusted_certificate`
    configuration setting, which enables the certificate validation.
    
    This setting works exactly as NGINX's `proxy_ssl_trusted_certificate`
    setting, and expects a full file path "with trusted CA certificates in
    the PEM format used to verify the certificate of the proxied HTTPS
    server".
    
    When this setting is absent, or set to 0, Onionspray will produce a
    warning during the configuration stage, encouraging operators to enable
    it.
    
    Sadly, this setting is not enabled by default, since there's no way to
    determine in advance which file the operator should use. In Debian-like
    systems, the `ca-certificates` package manages the
    `/etc/ssl/certs/ca-certificates.crt`, which contains many CA certificates
    and that should work for most cases. But in general, operators will need
    to figure out which file to use and how to best manage it.
    
    The fix was also backported to EOTK, and the patch is available as an
    attachment on issue #45.
    
    This vulnerability was discovered while writing a concise security
    analysis/model for Onionspray, which is also included in this commit.
    
    See also
    #45
    
    Closes #45.
Loading