From: Simon Ruderich Date: Tue, 15 Mar 2011 18:05:26 +0000 (+0100) Subject: README: Clarify use of `proxy-invalid.pem`. X-Git-Tag: 0.2~17 X-Git-Url: https://ruderich.org/simon/gitweb/?a=commitdiff_plain;h=d3ee0e4a91df6a73d93db8f1b0e70d2c528fc7b8;p=tlsproxy%2Ftlsproxy.git README: Clarify use of `proxy-invalid.pem`. No client data is sent to the server in case of an error. --- diff --git a/README b/README index 31a4a56..ebcb53f 100644 --- a/README +++ b/README @@ -48,8 +48,11 @@ certificate to secure the connection to the client (signed by `proxy-ca.pem`). If an error occurs in the validation (missing `certificate-*.pem` files, fingerprint changed, etc.) it's logged by the proxy (stdout) and the special -`proxy-invalid.pem` certificate is used. It's easy to spot in the browser -because it uses an invalid hostname ("invalid") and is self-signed. +`proxy-invalid.pem` certificate is used to send a 500 error message to the +client. The connection to the server is closed so there's no chance that any +client data is sent to the (possible) evil server. The invalide certificate is +also easy to spot in the browser because it uses an invalid hostname +("invalid") and is self-signed. If an internal error occurs before the TLS connection can be established a 503 Forwarding failure is sent to the client (unencrypted).