[PATCH] Upstream: fixed SSL initialization on read events
Vladimir Homutov
vl at inspert.ru
Mon Feb 9 13:58:34 UTC 2026
On Sun, Feb 08, 2026 at 11:23:13PM +0300, Maxim Dounin wrote:
> # HG changeset patch
> # User Maxim Dounin <mdounin at mdounin.ru>
> # Date 1770581815 -10800
> # Sun Feb 08 23:16:55 2026 +0300
> # Node ID bce5954f74a115503fd22d955d0fcea18f6c77cb
> # Parent b44cd6f3bc983859f3a213fbff19b4761ac59ec8
> Upstream: fixed SSL initialization on read events.
>
> Previously, SSL initialization only happened on write events, which are
> reported once a TCP connection is established. However, if some data
> are received before the write event is reported, the read event might be
> reported first, potentially resulting in a plain text response being
> accepted when it shouldn't (CVE-2026-1642).
>
> Normally SSL servers do not send anything before ClientHello from the
> client, though formally they are allowed to (for example, HelloRequest
> messages may be sent at any time). As such, the fix is to do proper SSL
> initialization on read events as well. This ensures correct and identical
> behaviour regardless of the order of events being reported.
Hello,
while the fix does the job, I think that the root reason
is the fact that we set u->read_event_handler to ngx_http_upstream_process_header
in ngx_http_upstream_connect(), when we haven't yet sent the request.
And we have no idea what the request will be (maybe plaintext, maybe
SSL, maybe some other protocol).
It looks like the reasonable default for u->read_event_handler should be
setting something like 'reject_premature_response'.
And when we later connect and send the request, we may override it with
appropriate handlers according to the desired protocol.
More information about the nginx-devel
mailing list