osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 61984] New: mod_ssl has SSLProxyVerify set to none by default


https://bz.apache.org/bugzilla/show_bug.cgi?id=61984

            Bug ID: 61984
           Summary: mod_ssl has SSLProxyVerify set to none by default
           Product: Apache httpd-2
           Version: 2.5-HEAD
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@xxxxxxxxxxxxxxxx
          Reporter: thrift24@xxxxxxxxx
  Target Milestone: ---

mod_ssl has SSLProxyVerify set to none by default.

SSL offers no real security without verification of the cert, so this should be
turned on by default.  Those who may not read into the entire configuration
could incorrectly believe that by using SSL it is doing the sensible default
thing here, checking the certificate.  This could lead to configurations that
are susceptible to MiTM attacks via self signed certs.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: bugs-help@xxxxxxxxxxxxxxxx