id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 1690 Add MITM detection Fabian Franz BSc "Caddy has a feature to detect TLS MITM attacks by comparing manipulated Client Hello messages with the ones used by the browsers. If the MITM does not mirror all properties of the one used by the client, it will be detected. It would be good to have such a feature in nginx as well as it would be good for some applications if they could reject such a connection. Source of Caddy: https://github.com/mholt/caddy/blob/09188981c477e1972012592a5c695ade777770ef/caddyhttp/httpserver/mitm.go Feature request in the OPNsense plugins repository: https://github.com/opnsense/plugins/issues/1044 " enhancement closed minor nginx-module 1.15.x wontfix TLS Linux host 4.19.5.a-1-hardened #1 SMP PREEMPT Fri Nov 30 01:54:36 CET 2018 x86_64 GNU/Linux "nginx version: nginx/1.14.1 built with OpenSSL 1.1.1 11 Sep 2018 (running with OpenSSL 1.1.1a 20 Nov 2018) TLS SNI support enabled configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --sbin-path=/usr/bin/nginx --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --user=http --group=http --http-log-path=/var/log/nginx/access.log --error-log-path=stderr --http-client-body-temp-path=/var/lib/nginx/client-body --http-proxy-temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-cc-opt='-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fno-plt -D_FORTIFY_SOURCE=2' --with-ld-opt=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now --with-compat --with-debug --with-file-aio --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_degradation_module --with-http_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-pcre-jit --with-stream --with-stream_geoip_module --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-threads"