You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@trafficserver.apache.org by shinrich <gi...@git.apache.org> on 2017/03/01 18:47:05 UTC

[GitHub] trafficserver issue #1525: Should allow control on whether default cert path...

GitHub user shinrich opened an issue:

https://github.com/apache/trafficserver/issues/1525

Should allow control on whether default cert paths/files are included for verification

When creating the SSL_CTX for ATS initiating connections to origin, we always call SSL_CTX_set_default_verify_path which adds the default trusted root packages on the system. You can also set your own via settings, but the default case is also added.

For a reverse proxy, the default trusted root set is probably not desirable. You probably just want to verify that your origins are signed with your small set of trusted roots. Adding more trusted roots just allows for the possibility that you accept a cert signed by someone else entirely.

There are a couple options to fix this
1. Add a new setting to ignore default trusted root
2. Don't call SSL_CTX_set_default_verify_path if a CA file or CA directory is explicitly defined.
3. The reverse proxy folks should just move the default trusted root files out of the way if they case (which is accidentally what we did).

No option is technically difficult, but probably worth a bit of discussion.

----

---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---