When creating the SSL_CTX for ATS initiating connections to origin, we always call SSL_CTX_set_default_verify_path which adds the default trusted root packages on the system. You can also set your own via settings, but the default case is also added.
For a reverse proxy, the default trusted root set is probably not desirable. You probably just want to verify that your origins are signed with your small set of trusted roots. Adding more trusted roots just allows for the possibility that you accept a cert signed by someone else entirely.
There are a couple options to fix this
- Add a new setting to ignore default trusted root
- Don't call SSL_CTX_set_default_verify_path if a CA file or CA directory is explicitly defined.
- The reverse proxy folks should just move the default trusted root files out of the way if they case (which is accidentally what we did).
No option is technically difficult, but probably worth a bit of discussion.
When creating the SSL_CTX for ATS initiating connections to origin, we always call SSL_CTX_set_default_verify_path which adds the default trusted root packages on the system. You can also set your own via settings, but the default case is also added.
For a reverse proxy, the default trusted root set is probably not desirable. You probably just want to verify that your origins are signed with your small set of trusted roots. Adding more trusted roots just allows for the possibility that you accept a cert signed by someone else entirely.
There are a couple options to fix this
No option is technically difficult, but probably worth a bit of discussion.