The main branch of nginx 1.27.4 has been released, within which new features are being developed, as well as the release of the parallel-supported stable branch of nginx 1.26.3, which only introduces changes related to the elimination of serious errors and vulnerabilities. The updates eliminate a vulnerability (CVE-2025-23419) that allows bypassing the verification of client TLS certificates.
The vulnerability is caused by a lack of proper validation when handling virtual hosts bound to a single IP address and port number, and selected during HTTPS access based on the domain name specified using the SNI TLS extension. In such configurations, an attacker could reuse a TLS session in the context of a different virtual host to bypass authentication using the client's TLS certificate. The issue manifests itself in configurations that support TLS session resumption using a "TLS session ticket" or that use a TLS session cache in the settings. Server by default, which uses authentication via client TLS certificates. The vulnerability has been present since release nginx 1.11.4 when built with OpenSSL and enabling the TLSv1.3 protocol.
Non-security related changes:
- Added capabilities to reduce resource consumption and CPU load when using TLS in configurations with a large number of server and location blocks. The added changes allow using the existing SSL context from the parent block instead of creating a separate SSL context (SSL_CTX in OpenSSL) for each configuration block.
- Fixed issues with long loading of configuration files due to repeated parsing of the same set TLS certificates, keys, and lists of certification authorities. Configuration reloads have been accelerated by reusing unchanged TLS objects, such as certificates, keys, and CRLs. The "ssl_object_cache_inheritable" directive has been added to disable object inheritance during configuration updates.
- Added cache for certificates and keys loaded using variables in directives (e.g. "ssl_certificate /etc/ssl/$ssl_server_name.crt"). The following directives have been added to manage the cache: "ssl_certificate_cache", "proxy_ssl_certificate_cache", "grpc_ssl_certificate_cache" and "uwsgi_ssl_certificate_cache". These directives can be used to configure the maximum cache size, the validity period of records, and the time to clean up unused records. For example: "ssl_certificate_cache max=1000 inactive=20s valid=1m;".
- Added the "keepalive_min_timeout" directive, which defines the timeout during which nginx will not close the keep-alive connection with the client.
- The problem with the appearance of log messages "gzip filter failed to use preallocated memory" when building with the zlib-ng library has been resolved.
- Fixed a problem with building the libatomic library when using the "--with-libatomic=DIR" build option
- Fixed a bug that made it impossible to establish a connection via the QUIC protocol when using 0-RTT.
- Ensured that QUIC version negotiation requests from clients are ignored.
- Solved problems with building on Solaris 10 with the ngx_http_v3_module module.
- Errors in HTTP/3 implementation have been fixed.
Source: opennet.ru
