You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When creating the SSL_CTX for ATS initiating connections to origin, we always call SSL_CTX_set_default_verify_path which adds the default trusted root packages on the system. You can also set your own via settings, but the default case is also added.
For a reverse proxy, the default trusted root set is probably not desirable. You probably just want to verify that your origins are signed with your small set of trusted roots. Adding more trusted roots just allows for the possibility that you accept a cert signed by someone else entirely.
There are a couple options to fix this
Add a new setting to ignore default trusted root
Don't call SSL_CTX_set_default_verify_path if a CA file or CA directory is explicitly defined.
The reverse proxy folks should just move the default trusted root files out of the way if they case (which is accidentally what we did).
No option is technically difficult, but probably worth a bit of discussion.
The text was updated successfully, but these errors were encountered:
This issue has been automatically marked as stale because it has not had recent activity. Marking it stale to flag it for further consideration by the community.
When creating the SSL_CTX for ATS initiating connections to origin, we always call SSL_CTX_set_default_verify_path which adds the default trusted root packages on the system. You can also set your own via settings, but the default case is also added.
For a reverse proxy, the default trusted root set is probably not desirable. You probably just want to verify that your origins are signed with your small set of trusted roots. Adding more trusted roots just allows for the possibility that you accept a cert signed by someone else entirely.
There are a couple options to fix this
No option is technically difficult, but probably worth a bit of discussion.
The text was updated successfully, but these errors were encountered: