Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 7 Mar 2018 14:34:06 +0100
From: Raphael Geissert <>
To: Open Source Security <>
Subject: Portus, missing certificate validation on proxified https traffic


Taking another look at portus, this time at the nginx sample
configuration[1], I noticed that it doesn't enable certificate
validation of the proxified traffic that is forwarded to portus and

Given that the documentation claims the examples are of "A
production-ready setup where all communication is encrypted."[2], I
plan to request a CVE id.

The details:

The example nginx configuration is based on running nginx as a
reverse-proxy of portus and (docker) registry. The docker-compose
provided along the nginx config sets up a certificate[3] for both
components (first smell: only one certificate).

The one an only certificate is also configured on the reverse proxy,
and a decent ciphers list among other security-related http headers
are setup.

But there's no single proxy_ssl_* directive in the whole nginx
configuration (second smell). Meaning that proxy_ssl_verify is off
(nginx default).

Has anyone reviewed portus? this is the second missing certificate
verification I noticed.

CC'ing the SUSE security team.

Oh and it appears that this one comes from the
Portus-On-OracleLinux7[4] repo from which "[they] borrowed a lot of
the NGinx configuration"[2] :

CC'ing Avi Miller.


Raphael Geissert

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ