Ubuntu
lighttpd package

SNI support broken in lighttpd-1.4.26

Bug #627789 reported by Kevin Landreth on 2010-09-01

38

This bug affects 7 people

Affects		Status	Importance	Assigned to	Milestone
	lighttpd	Fix Released	Undecided	Unassigned
	lighttpd (Ubuntu)	Fix Released	High	Unassigned

Bug Description

Binary package hint: lighttpd

SNI : http://en.wikipedia.org/wiki/Server_Name_Indication
Upstream bug (fixed): http://redmine.lighttpd.net/issues/2125

Description: Using ssl.pemfile inside HTTP host conditionals to enable SNI support results in the wrong certificate being returned. It doesn't seem to matter how many hosts are declared (as few as two). This results in SSL bad domain failures on the browsers. The source of the problem is con->uri.authority not getting cleared which messes up the HTTP host conditional.

I've recompiled 1.4.26-1.1ubuntu3 with the minimal patch provided by upstream note #9 and everything appears to work as expected. This is fixed in 1.4.27 http://redmine.lighttpd.net/versions/show/24

Example host declaration:
$HTTP["host"] == "subdomain.xyz.com" {
        server.document-root = "/var/www/xyz"
        $HTTP["scheme"] == "https" {
            ssl.pemfile = "/etc/ssl/private/stats.xyz.pem"
            ssl.ca-file = "/etc/ssl/certs/ca.pem"
        }
}

Hope this bug report was helpful. From the looks of it, it effects lucid and Marverick both.

Tags:

Related branches

lp:ubuntu/lucid/lighttpd

lp:ubuntu/maverick/lighttpd

Revision history for this message

luigifab (luigifab-deactivatedaccount) wrote on 2010-10-06:

#1

Same probleme with this configuration :

$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/ssl/private/localhost.pem"
}

When I start lighttpd, I get this error :

fabrice@wario:~$ sudo service lighttpd start
* Starting web server lighttpd
2010-10-06 12:07:39: (network.c.336) SSL: error:00000000:lib(0):func(0):reason(0)
[fail]

Revision history for this message

luigifab (luigifab-deactivatedaccount) wrote on 2010-10-06:

#2

Sorry, I'm on Ubuntu 9.10 Karmic Koala with :
- lighttpd 1.4.22-1ubuntu4
- libssl 0.9.8g-16-ubuntu3.2
- openssl 0.9.8g-16ubuntu3.2
- Linux kernel 2.6.31-22.66

Revision history for this message

skuemmel (sebkuemmel) wrote on 2010-10-10:

#3

You are gonna need an additional patch. The latest openssl-update caused lighttpd to break.

http://redmine.lighttpd.net/attachments/1095/08-ssl-retval-fix.patch

Daniel Hahler (blueyed) on 2010-10-11

Changed in lighttpd (Ubuntu):
status:	New → Triaged
importance:	Undecided → High
tags:	added: patch patch-accepted-upstream

Revision history for this message

Daniel Hahler (blueyed) wrote on 2010-10-11:

#4

skuemmel, is the patch mentioned in comment #3 related to bug 645002 by any chance, or independent from it?

To fix this particular bug here, r2724 should get used, correct? (http://redmine.lighttpd.net/projects/lighttpd/repository/revisions/2724).

Revision history for this message

Daniel Hahler (blueyed) wrote on 2010-10-11:

#5

Sorry for the noise, I've answered the q

Revision history for this message

Daniel Hahler (blueyed) wrote on 2010-10-11:

#6

...question myself.

Revision history for this message

Sebastien Bacher (seb128) wrote on 2010-12-08:

#7

the issue is fixed in natty which has 1.4.28

Changed in lighttpd (Ubuntu):
status:	Triaged → Fix Released
Changed in lighttpd:
status:	New → Fix Released

Revision history for this message

Austin (ninjamonic) wrote on 2011-10-24:

#8

Any chance we can see a fix backported to lucid?

Revision history for this message

Vasya Pupkin (shadowlmd) wrote on 2014-01-26:

#9

Please fix it in Lucid. Please!

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.