Date: Wed, 7 Mar 2018 14:34:06 +0100 From: Raphael Geissert <atomo64@...il.com> To: Open Source Security <oss-security@...ts.openwall.com> Cc: security@...e.de, avi.miller@...il.com Subject: Portus, missing certificate validation on proxified https traffic Hi, Taking another look at portus, this time at the nginx sample configuration, I noticed that it doesn't enable certificate validation of the proxified traffic that is forwarded to portus and registry. Given that the documentation claims the examples are of "A production-ready setup where all communication is encrypted.", I plan to request a CVE id. The details: The example nginx configuration is based on running nginx as a reverse-proxy of portus and (docker) registry. The docker-compose provided along the nginx config sets up a certificate for both components (first smell: only one certificate). The one an only certificate is also configured on the reverse proxy, and a decent ciphers list among other security-related http headers are setup. But there's no single proxy_ssl_* directive in the whole nginx configuration (second smell). Meaning that proxy_ssl_verify is off (nginx default). Has anyone reviewed portus? this is the second missing certificate verification I noticed. CC'ing the SUSE security team. Oh and it appears that this one comes from the Portus-On-OracleLinux7 repo from which "[they] borrowed a lot of the NGinx configuration" : https://github.com/Djelibeybi/Portus-On-OracleLinux7/blob/f2e7a167f6325a0247eb1ca49a962478daf49a8b/nginx/proxy.conf#L57 CC'ing Avi Miller. https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/nginx/nginx.conf https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/README.md https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/docker-compose.yml#L21  https://github.com/Djelibeybi/Portus-On-OracleLinux7 Cheers, -- Raphael Geissert
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ