Page MenuHomeMiraheze

stunnel not verifying backend certificates?
Closed, DeclinedPublic

Description

I was browsing our stunnel configuration, and while it lacks some proper configuration regarding TLS versions and does not comply with my preference of using a certificate for stunnel ONLY, according to the docs there is no verification of the peer certificate by default. The result of that is encrypted communication but not while verifying we are talking with Miraheze's servers and not someone else's.

Event Timeline

Southparkfan raised the priority of this task from High to Unbreak Now!.Mar 13 2019, 15:27

Looking into this now..

Paladox added a subscriber: Paladox.
NDKilla added a subscriber: NDKilla.Mar 13 2019, 16:27

That's kind of funny (read as: awful), herald made security task temporarily visible to Amanda.

John added a subscriber: John.Mar 13 2019, 16:36

That's kind of funny (read as: awful), herald made security task temporarily visible to Amanda.

No it did not.

NDKilla added a comment.Mar 13 2019, 16:47
In T4196#80101, @John wrote:

That's kind of funny (read as: awful), herald made security task temporarily visible to Amanda.

No it did not.

This was my bad. Not to hijack this thread but herald behaves differently than I thought.

Southparkfan lowered the priority of this task from Unbreak Now! to High.Mar 13 2019, 18:35

I have a hard time understanding how stunnel works with the backend server with regards to certificates. I have not been able to prove (in)valid verification by stunnel.

A proper solution (to make sure stunnel verifies the clients for 100%) would probably be to create a self-signed certificate and let nginx use that - however that would break test1.miraheze.org which would then need the old config. Such a drastic change cannot be done in just one day, thus reducing priority.

Southparkfan closed this task as Declined.Jul 3 2019, 18:31
Southparkfan claimed this task.

Non-existent issue.

Southparkfan changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 3 2019, 23:26
Southparkfan changed the edit policy from "Custom Policy" to "All Users".
AmandaCath added a subscriber: AmandaCath.EditedJul 4 2019, 00:24

Obviously just seeing this now... @NDKilla one of the conditions in my Herald rule is to automatically add my project tag to any task that is UBN priority.

(Although I was away at the time so I didn't even see it when it occurred)