Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 7 Mar 2018 14:34:06 +0100
From: Raphael Geissert <>
To: Open Source Security <>
Subject: Portus, missing certificate validation on proxified https traffic


Taking another look at portus, this time at the nginx sample
configuration[1], I noticed that it doesn't enable certificate
validation of the proxified traffic that is forwarded to portus and

Given that the documentation claims the examples are of "A
production-ready setup where all communication is encrypted."[2], I
plan to request a CVE id.

The details:

The example nginx configuration is based on running nginx as a
reverse-proxy of portus and (docker) registry. The docker-compose
provided along the nginx config sets up a certificate[3] for both
components (first smell: only one certificate).

The one an only certificate is also configured on the reverse proxy,
and a decent ciphers list among other security-related http headers
are setup.

But there's no single proxy_ssl_* directive in the whole nginx
configuration (second smell). Meaning that proxy_ssl_verify is off
(nginx default).

Has anyone reviewed portus? this is the second missing certificate
verification I noticed.

CC'ing the SUSE security team.

Oh and it appears that this one comes from the
Portus-On-OracleLinux7[4] repo from which "[they] borrowed a lot of
the NGinx configuration"[2] :

CC'ing Avi Miller.


Raphael Geissert

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.