Skip to content

Fix: CRITICAL: upstream HTTPS certificate validation, and security model (#45)

This commit fixes the recently found issue where upstream HTTPS certificates were not being properly validated by the Onionspray rewriting proxy.

It introduces the per-project nginx_proxy_ssl_trusted_certificate configuration setting, which enables the certificate validation.

This setting works exactly as NGINX's proxy_ssl_trusted_certificate setting, and expects a full file path "with trusted CA certificates in the PEM format used to verify the certificate of the proxied HTTPS server".

When this setting is absent, or set to 0, Onionspray will produce a warning during the configuration stage, encouraging operators to enable it.

Sadly, this setting is not enabled by default, since there's no way to determine in advance which file the operator should use. In Debian-like systems, the ca-certificates package manages the /etc/ssl/certs/ca-certificates.crt, which contains many CA certificates and that should work for most cases. But in general, operators will need to figure out which file to use and how to best manage it.

The fix was also backported to EOTK, and the patch is available as an attachment on issue #45 (closed).

This vulnerability was discovered while writing a concise security analysis/model for Onionspray, which is also included in this commit.

See also #45 (closed)

Closes #45 (closed).

Merge request reports

Loading