Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 03 Jan 2013 10:36:20 -0500
From: Daniel Kahn Gillmor <>
Subject: nginx http proxy module does not verify peer identity of https origin

nginx offers the ability for its http proxy module to talk to an origin
server over https.  However, it does not verify the identity of the
origin server in this case, which leaves it subject to MITM attacks
between the proxy and the origin server.

Sadly, this appears to be unfixed for over a year after it was first

some patch review starts over here, but doesn't seem to reach any

As far as i can tell, there is no CVE assigned for this yet.


Download attachment "signature.asc" of type "application/pgp-signature" (1028 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.