Skip to content

fix(security): reject plaintext upgrades when SSL is enabled#1550

Open
someonegg wants to merge 1 commit into
tsl0922:mainfrom
someonegg:fix/reject-plaintext-upgrades
Open

fix(security): reject plaintext upgrades when SSL is enabled#1550
someonegg wants to merge 1 commit into
tsl0922:mainfrom
someonegg:fix/reject-plaintext-upgrades

Conversation

@someonegg

Copy link
Copy Markdown

Summary

  • reject non-TLS HTTP upgrade requests when SSL is enabled
  • keep existing HTTP-to-HTTPS redirect behavior for normal HTTP requests
  • prevent plaintext WebSocket upgrades from bypassing SSL enforcement

Security impact

When ttyd is started with SSL enabled, libwebsockets is configured to allow plaintext HTTP on the SSL port and redirect it to HTTPS. Normal HTTP requests are redirected, but plaintext WebSocket upgrade requests can still be accepted and return 101 Switching Protocols.

This means /ws can be reached over a non-TLS connection even when SSL is enabled. If mTLS is configured with --ssl-ca, client certificate verification only happens during the TLS handshake, so this plaintext upgrade path can bypass the expected client certificate check.

This patch rejects all non-TLS HTTP upgrade requests when SSL is enabled.

Testing

  • cmake -S . -B build
  • cmake --build build
  • verified http://127.0.0.1:<port>/ returns 301 Redirect
  • verified plaintext WebSocket upgrade to /ws no longer returns 101 Switching Protocols
  • verified https://127.0.0.1:<port>/token still returns 200 OK

@someonegg someonegg changed the title Reject plaintext upgrades when SSL is enabled fix(security): reject plaintext upgrades when SSL is enabled Jun 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant