[PATCH] Upstream: fixed SSL initialization on read events
Maxim Dounin
mdounin at mdounin.ru
Sun Feb 8 20:23:13 UTC 2026
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1770581815 -10800
# Sun Feb 08 23:16:55 2026 +0300
# Node ID bce5954f74a115503fd22d955d0fcea18f6c77cb
# Parent b44cd6f3bc983859f3a213fbff19b4761ac59ec8
Upstream: fixed SSL initialization on read events.
Previously, SSL initialization only happened on write events, which are
reported once a TCP connection is established. However, if some data
are received before the write event is reported, the read event might be
reported first, potentially resulting in a plain text response being
accepted when it shouldn't (CVE-2026-1642).
Normally SSL servers do not send anything before ClientHello from the
client, though formally they are allowed to (for example, HelloRequest
messages may be sent at any time). As such, the fix is to do proper SSL
initialization on read events as well. This ensures correct and identical
behaviour regardless of the order of events being reported.
diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -2442,6 +2442,15 @@ ngx_http_upstream_process_header(ngx_htt
return;
}
+#if (NGX_HTTP_SSL)
+
+ if (u->ssl && c->ssl == NULL) {
+ ngx_http_upstream_ssl_init_connection(r, u, c);
+ return;
+ }
+
+#endif
+
if (u->buffer.start == NULL) {
u->buffer.start = ngx_palloc(r->pool, u->conf->buffer_size);
if (u->buffer.start == NULL) {
More information about the nginx-devel
mailing list