osdir.com


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug 61984] mod_ssl has SSLProxyVerify set to none by default


https://bz.apache.org/bugzilla/show_bug.cgi?id=61984

--- Comment #3 from Yann Ylavic <ylavic.dev@xxxxxxxxx> ---
I don't know, when a proxy is configured that's already the MITM, right?
So you need to persuade your clients that you are the one "man" already.

In a reverse proxy scenario you'd use the domain's certs (which you can't fake,
browsers watch!) for inbound connections, and either be confident enough about
your internal network (with no SSL at all, or no authenticated SSL for
eavesdropping prevention only), or that network is not trusted and you probably
should know how to enforce authentication with the backend (one or two way) as
a typical domain admin.

In a forward proxy scenario, it's kind of the same thing besides you also need
now to ensure the trust your clients put on the proxy (to reach the right
origin server), so you have to face the burden of maintaining the "CAs/keystore
of the internet" locally like browers do, not easy but the price for trust
here.

In any case I think that for running a proxy one needs to have a look at its
documentation (for the least), so I would go for a note/warning about
non-authenticated TLS on the mod_ssl page, if none exists already.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: bugs-help@xxxxxxxxxxxxxxxx