oss-sec mailing list archives
Portus, missing certificate validation on proxified https traffic
From: Raphael Geissert <atomo64 () gmail com>
Date: Wed, 7 Mar 2018 14:34:06 +0100
Hi, Taking another look at portus, this time at the nginx sample configuration[1], I noticed that it doesn't enable certificate validation of the proxified traffic that is forwarded to portus and registry. Given that the documentation claims the examples are of "A production-ready setup where all communication is encrypted."[2], I plan to request a CVE id. The details: The example nginx configuration is based on running nginx as a reverse-proxy of portus and (docker) registry. The docker-compose provided along the nginx config sets up a certificate[3] for both components (first smell: only one certificate). The one an only certificate is also configured on the reverse proxy, and a decent ciphers list among other security-related http headers are setup. But there's no single proxy_ssl_* directive in the whole nginx configuration (second smell). Meaning that proxy_ssl_verify is off (nginx default). Has anyone reviewed portus? this is the second missing certificate verification I noticed. CC'ing the SUSE security team. Oh and it appears that this one comes from the Portus-On-OracleLinux7[4] repo from which "[they] borrowed a lot of the NGinx configuration"[2] : https://github.com/Djelibeybi/Portus-On-OracleLinux7/blob/f2e7a167f6325a0247eb1ca49a962478daf49a8b/nginx/proxy.conf#L57 CC'ing Avi Miller. [1]https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/nginx/nginx.conf [2]https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/README.md [3]https://github.com/SUSE/Portus/blob/146076d543e8f1618f837dd7466c5f0fdc26438d/examples/compose/docker-compose.yml#L21 [4] https://github.com/Djelibeybi/Portus-On-OracleLinux7 Cheers, -- Raphael Geissert
Current thread:
- Portus, missing certificate validation on proxified https traffic Raphael Geissert (Mar 07)
- Re: Portus, missing certificate validation on proxified https traffic Raphael Geissert (Mar 11)