lighttpd broken by OpenSSL update
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| lighttpd (Debian) |
Fix Released
|
Unknown
|
||
| lighttpd (Ubuntu) |
Critical
|
Unassigned | ||
| Bionic |
Critical
|
Unassigned | ||
| Cosmic |
Critical
|
Unassigned |
Bug Description
[Impact]
* TLSv1.3 (which is enabled by default) connections are getting killed instead of succeeding negotiation.
[Test Case]
* Create lighttpd server, attempt to connect via tlsv1.3
* Connection should succeed.
Sample lighttpd.conf:
server.port = 443
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/
Where server.pem is concat of snakeoil cert + private key.
Attempting curl to lighttpd results in:
# curl --cacert /etc/ssl/
curl: (52) Empty reply from server
# grep 'killing' /var/log/
2019-06-25 09:40:15: (connections-
Upgrade to new lighttpd, repeat curl, and now get the download of the home-page:
# curl --cacert /etc/ssl/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://
<html xmlns="http://
<head>
...
[Regression Potential]
* TLSv1.3 connections attempt client renegotiation when they should not, as that's not supported anymore. Currently, connections are getting killed instead of succeeding. This change is a backport from a later v1.4 series point release, hence the file paths don't match the original and variables are renamed, however, the affected codepath appears to still be the same-ish. Hence the patch should be review for rebase correctness as there is room for error in handling client renegotiation with prior tls versions.
[Upstream Link]
https:/
[Original Bugreport]
After installing today's bionic OpenSSL update (1.1.0g-2ubuntu4.3 -> 1.1.1-1ubuntu2.
2019-06-11 12:02:20: (connections-
Perhaps problem with TLS v1.3 negotiation? (And the version of lighttpd is too old to have the ssl.openssl.
Description: Ubuntu 18.04.2 LTS
Release: 18.04
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: lighttpd 1.4.45-1ubuntu3
ProcVersionSign
Uname: Linux 4.15.0-51-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.6
Architecture: amd64
Date: Tue Jun 11 14:18:55 2019
SourcePackage: lighttpd
UpgradeStatus: Upgraded to bionic on 2018-06-10 (365 days ago)
modified.
modified.
mtime.conffile.
mtime.conffile.
Jim Tittsler (jwt) wrote : | #1 |
Jim Tittsler (jwt) wrote : | #2 |
Launchpad Janitor (janitor) wrote : | #3 |
Status changed to 'Confirmed' because the bug affects multiple users.
Changed in lighttpd (Ubuntu): | |
status: | New → Confirmed |
Jim Tittsler (jwt) wrote : | #4 |
Simply rebuilding the source deb against the new libraries isn't enough to make it work.
Jim Tittsler (jwt) wrote : | #5 |
To eliminate further downtime, I built/installed lighttpd 1.4.54 which resolved the problem.
Jeremy (j0k3r) wrote : | #6 |
Got that issue too.
All site using https were down.
Temporary solution is to define `ssl.disable-
But it's not safe.
Changed in lighttpd (Ubuntu): | |
importance: | Undecided → Critical |
tags: | added: regression-update |
Dimitri John Ledkov (xnox) wrote : | #7 |
> Temporary solution is to define `ssl.disable-
> But it's not safe.
Actually that should be the new default. Client-
Dimitri John Ledkov (xnox) wrote : | #8 |
Fix released in Disco and Eoan.
Affected series are Bionic and Cosmic.
Changed in lighttpd (Ubuntu Bionic): | |
importance: | Undecided → Critical |
Changed in lighttpd (Ubuntu Cosmic): | |
importance: | Undecided → Critical |
Changed in lighttpd (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in lighttpd (Ubuntu Cosmic): | |
status: | New → In Progress |
Changed in lighttpd (Ubuntu): | |
status: | Confirmed → Fix Released |
description: | updated |
Changed in lighttpd (Debian): | |
status: | Unknown → Fix Released |
description: | updated |
description: | updated |
Hello Jim, or anyone else affected,
Accepted lighttpd into bionic-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
Changed in lighttpd (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
tags: | added: verification-needed verification-needed-bionic |
Changed in lighttpd (Ubuntu Cosmic): | |
status: | In Progress → Fix Committed |
tags: | added: verification-needed-cosmic |
Robie Basak (racb) wrote : | #10 |
Hello Jim, or anyone else affected,
Accepted lighttpd into cosmic-proposed. The package will build now and be available at https:/
Please help us by testing this new package. See https:/
If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-
Further information regarding the verification process can be found at https:/
Dimitri John Ledkov (xnox) wrote : | #11 |
Reproducing on bionic:
# dpkg-query -W lighttpd
lighttpd 1.4.45-1ubuntu3
# curl --cacert /etc/ssl/
Fail
# sed 's/-updates/
# apt update
# apt install lighttpd
# dpkg-query -W lighttpd
lighttpd 1.4.45-
# curl --cacert /etc/ssl/
Pass
All is good in bionic-proposed.
tags: |
added: verification-done-bionic removed: verification-needed-bionic |
Dimitri John Ledkov (xnox) wrote : | #12 |
Reproducing on cosmic:
# dpkg-query -W lighttpd
lighttpd 1.4.45-1ubuntu3
# curl --cacert /etc/ssl/
Fail
# sed 's/-updates/
# apt update
# apt install lighttpd
# dpkg-query -W lighttpd
lighttpd 1.4.45-
# curl --cacert /etc/ssl/
Pass
All is good in cosmic-proposed.
tags: |
added: verification-done-cosmic removed: verification-needed verification-needed-cosmic |
Ferdi (ferdi-sttc-nlp) wrote : | #13 |
The version in proposed works for me.
Launchpad Janitor (janitor) wrote : | #14 |
This bug was fixed in the package lighttpd - 1.4.45-
---------------
lighttpd (1.4.45-
* Cherrypick and rebase upstream patch to disable client renegotiation
with TLSv1.3 connections. LP: #1832295
-- Dimitri John Ledkov <email address hidden> Mon, 24 Jun 2019 23:58:56 +0100
Changed in lighttpd (Ubuntu Cosmic): | |
status: | Fix Committed → Fix Released |
The verification of the Stable Release Update for lighttpd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.
Launchpad Janitor (janitor) wrote : | #16 |
This bug was fixed in the package lighttpd - 1.4.45-
---------------
lighttpd (1.4.45-
* Cherrypick and rebase upstream patch to disable client renegotiation
with TLSv1.3 connections. LP: #1832295
-- Dimitri John Ledkov <email address hidden> Mon, 24 Jun 2019 23:58:56 +0100
Changed in lighttpd (Ubuntu Bionic): | |
status: | Fix Committed → Fix Released |
tags: | added: bionic-openssl-1.1 |
A Debian bug suggests that lighttpd < 1.4.51 is broken by libssl 1.1 /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 913558
https:/