Page MenuHomeMiraheze

stunnel not verifying backend certificates?
Closed, DeclinedPublic

Description

I was browsing our stunnel configuration, and while it lacks some proper configuration regarding TLS versions and does not comply with my preference of using a certificate for stunnel ONLY, according to the docs there is no verification of the peer certificate by default. The result of that is encrypted communication but not while verifying we are talking with Miraheze's servers and not someone else's.

Event Timeline

Southparkfan raised the priority of this task from High to Unbreak Now!.Mar 13 2019, 15:27

That's kind of funny (read as: awful), herald made security task temporarily visible to Amanda.

That's kind of funny (read as: awful), herald made security task temporarily visible to Amanda.

No it did not.

In T4196#80101, @John wrote:

That's kind of funny (read as: awful), herald made security task temporarily visible to Amanda.

No it did not.

This was my bad. Not to hijack this thread but herald behaves differently than I thought.

image.png (214×592 px, 10 KB)

Southparkfan lowered the priority of this task from Unbreak Now! to High.Mar 13 2019, 18:35

I have a hard time understanding how stunnel works with the backend server with regards to certificates. I have not been able to prove (in)valid verification by stunnel.

A proper solution (to make sure stunnel verifies the clients for 100%) would probably be to create a self-signed certificate and let nginx use that - however that would break test1.miraheze.org which would then need the old config. Such a drastic change cannot be done in just one day, thus reducing priority.

Southparkfan claimed this task.

Non-existent issue.

Southparkfan changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 3 2019, 23:26
Southparkfan changed the edit policy from "Custom Policy" to "All Users".

Obviously just seeing this now... @NDKilla one of the conditions in my Herald rule is to automatically add my project tag to any task that is UBN priority.

(Although I was away at the time so I didn't even see it when it occurred)