mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-29 02:16:28 +02:00
04585af9ef
Currently Pomerium will always generate a wildcard certificate for use as a fallback certificate. If any other certificate is configured, this fallback certificate will not normally be presented, except in the case of a TLS connection where the client does not include the Server Name Indication (SNI) extension. All modern browsers support SNI, so in practice this certificate should never be presented to end users. However, some network scanning tools will probe connections by IP addresses (without SNI), and so this fallback certificate may be presented. The presence of this certificate may be flagged as a problem in some automated vulnerability scans. Let's avoid generating this fallback certificate if Pomerium has any other certificate configured (unless specifically requested by the Auto TLS option). This should prevent false positive reports from these particular vulnerability scans. |
||
|---|---|---|
| .. | ||
| filemgr | ||
| luascripts | ||
| testdata | ||
| acmetlsalpn.go | ||
| acmetlsalpn_test.go | ||
| bootstrap.go | ||
| bootstrap_test.go | ||
| builder.go | ||
| clusters.go | ||
| clusters_envoy_admin.go | ||
| clusters_test.go | ||
| envoyconfig.go | ||
| filters.go | ||
| http_connection_manager.go | ||
| listeners.go | ||
| listeners_envoy_admin.go | ||
| listeners_grpc.go | ||
| listeners_main.go | ||
| listeners_main_test.go | ||
| listeners_metrics.go | ||
| listeners_test.go | ||
| lua.go | ||
| lua_test.go | ||
| outbound.go | ||
| outbound_test.go | ||
| per_filter_config.go | ||
| protocols.go | ||
| protocols_int_test.go | ||
| protocols_test.go | ||
| quic.go | ||
| route_configurations.go | ||
| route_configurations_test.go | ||
| routes.go | ||
| routes_test.go | ||
| tls.go | ||
| tls_test.go | ||
| tracing.go | ||
| tracing_test.go | ||