lighttpd broken by OpenSSL update

Bug #1832295 reported by Jim Tittsler on 2019-06-11
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
lighttpd (Ubuntu)
Undecided
Unassigned

Bug Description

After installing today's bionic OpenSSL update (1.1.0g-2ubuntu4.3 -> 1.1.1-1ubuntu2.1~18.04.1 and associated libraries) SSL is broken in lighttpd 1.4.45-1ubuntu3. The logs are full of messages of the form:

2019-06-11 12:02:20: (connections-glue.c.126) SSL: renegotiation initiated by client, killing connection

Perhaps problem with TLS v1.3 negotiation? (And the version of lighttpd is too old to have the ssl.openssl.ssl-conf-cmd directive to try to disable it.)

Description: Ubuntu 18.04.2 LTS
Release: 18.04

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: lighttpd 1.4.45-1ubuntu3
ProcVersionSignature: Ubuntu 4.15.0-51.55-generic 4.15.18
Uname: Linux 4.15.0-51-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.6
Architecture: amd64
Date: Tue Jun 11 14:18:55 2019
SourcePackage: lighttpd
UpgradeStatus: Upgraded to bionic on 2018-06-10 (365 days ago)
modified.conffile..etc.lighttpd.conf-available.10-cgi.conf: [modified]
modified.conffile..etc.lighttpd.lighttpd.conf: [modified]
mtime.conffile..etc.lighttpd.conf-available.10-cgi.conf: 2015-07-16T10:18:19.857892
mtime.conffile..etc.lighttpd.lighttpd.conf: 2019-06-11T12:01:59.493213

Jim Tittsler (jwt) wrote :
Jim Tittsler (jwt) wrote :

A Debian bug suggests that lighttpd < 1.4.51 is broken by libssl 1.1
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913558

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in lighttpd (Ubuntu):
status: New → Confirmed
Jim Tittsler (jwt) wrote :

Simply rebuilding the source deb against the new libraries isn't enough to make it work.

Jim Tittsler (jwt) wrote :

To eliminate further downtime, I built/installed lighttpd 1.4.54 which resolved the problem.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.