https://bz.apache.org/bugzilla/show_bug.cgi?id=61984
Bug ID: 61984
Summary: mod_ssl has SSLProxyVerify set to none by default
Product: Apache httpd-2
Version: 2.5-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: ---
mod_ssl has SSLProxyVerify set to none by default.
SSL offers no real security without verification of the cert, so this should be
turned on by default. Those who may not read into the entire configuration
could incorrectly believe that by using SSL it is doing the sensible default
thing here, checking the certificate. This could lead to configurations that
are susceptible to MiTM attacks via self signed certs.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
