id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
1690	Add MITM detection	Fabian Franz BSc		"Caddy has a feature to detect TLS MITM attacks by comparing manipulated Client Hello messages with the ones used by the browsers. If the MITM does not mirror all properties of the one used by the client, it will be detected.

It would be good to have such a feature in nginx as well as it would be good for some applications if they could reject such a connection.

Source of Caddy:
https://github.com/mholt/caddy/blob/09188981c477e1972012592a5c695ade777770ef/caddyhttp/httpserver/mitm.go

Feature request in the OPNsense plugins repository:
https://github.com/opnsense/plugins/issues/1044

"	enhancement	closed	minor		nginx-module	1.15.x	wontfix	TLS		Linux host 4.19.5.a-1-hardened #1 SMP PREEMPT Fri Nov 30 01:54:36 CET 2018 x86_64 GNU/Linux	"nginx version: nginx/1.14.1
built with OpenSSL 1.1.1  11 Sep 2018 (running with OpenSSL 1.1.1a  20 Nov 2018)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/bin/nginx --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --user=http --group=http --http-log-path=/var/log/nginx/access.log --error-log-path=stderr --http-client-body-temp-path=/var/lib/nginx/client-body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-cc-opt='-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt -D_FORTIFY_SOURCE=2' --with-ld-opt=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now --with-compat --with-debug --with-file-aio --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-pcre-jit --with-stream --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads"