# Date : 07/28/2017
# Author : Oscar Martinez
# Vendor : IBM
# Software : bluemix https://www.ibm.com/cloud-computing/bluemix/

# Vulnerability Description:
You can use routes in your container group to access your server.
If you want to protect it, you can use mutual tls authentication (
https://developer.ibm.com/apiconnect/2016/07/06/securing-apic-bm-app-mutual-tls/
)
So, if you want to connect to your bluemix application (container group
with route https://<yourdomain>/), you should send your client certificate.
BUT, any user CAN acces it without the client certificate.

1.Use
https://developer.ibm.com/apiconnect/2016/07/06/securing-apic-bm-app-mutual-tls/
to have mutual tls authentication
https://<yourdomain> is configurated with custom domain in Bluemix (Bluemix
Dashboard > Manage Organizations > Domains > Add Domain) to force mutual
tls authentication and route with the custom domain to your application (Go
to the Application Overview page > Edit Routes and App Access).

2. Normal behaviour: User should send the client certificate
openssl s_client -connect <yourdomain>:443 -servername <yourdomain>

3. Abnormal behaviour: User DON'T need to send the client certificate
openssl s_client -connect <yourdomain>:443
GET / HTTP/1.0

It is because the bluemix server (that does the routing) have 2
certificates.
1. CN=*.mybluemix.net (this route doesn't appear at the gui - containers
group routing) and doesn't force the use of the client certificate.
2. the custom uploaded certificate, CN=<yourdomain>

Time Line
---------
* 06/21/2017: First contact with vendor (
https://www.ibm.com/scripts/contact/contact/us/en/security_vulnerabilities/)
* 06/22/2017: IBM PSIRT assigned PSIRT Advisory <8944>