lighttpd broken by OpenSSL update
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lighttpd (Debian) |
Fix Released
|
Unknown
|
|||
lighttpd (Ubuntu) |
Fix Released
|
Critical
|
Unassigned | ||
Bionic |
Fix Released
|
Critical
|
Unassigned | ||
Cosmic |
Fix Released
|
Critical
|
Unassigned |
Bug Description
[Impact]
* TLSv1.3 (which is enabled by default) connections are getting killed instead of succeeding negotiation.
[Test Case]
* Create lighttpd server, attempt to connect via tlsv1.3
* Connection should succeed.
Sample lighttpd.conf:
server.port = 443
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/
Where server.pem is concat of snakeoil cert + private key.
Attempting curl to lighttpd results in:
# curl --cacert /etc/ssl/
curl: (52) Empty reply from server
# grep 'killing' /var/log/
2019-06-25 09:40:15: (connections-
Upgrade to new lighttpd, repeat curl, and now get the download of the home-page:
# curl --cacert /etc/ssl/
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://
<html xmlns="http://
<head>
...
[Regression Potential]
* TLSv1.3 connections attempt client renegotiation when they should not, as that's not supported anymore. Currently, connections are getting killed instead of succeeding. This change is a backport from a later v1.4 series point release, hence the file paths don't match the original and variables are renamed, however, the affected codepath appears to still be the same-ish. Hence the patch should be review for rebase correctness as there is room for error in handling client renegotiation with prior tls versions.
[Upstream Link]
https:/
[Original Bugreport]
After installing today's bionic OpenSSL update (1.1.0g-2ubuntu4.3 -> 1.1.1-1ubuntu2.
2019-06-11 12:02:20: (connections-
Perhaps problem with TLS v1.3 negotiation? (And the version of lighttpd is too old to have the ssl.openssl.
Description: Ubuntu 18.04.2 LTS
Release: 18.04
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: lighttpd 1.4.45-1ubuntu3
ProcVersionSign
Uname: Linux 4.15.0-51-generic x86_64
ApportVersion: 2.20.9-0ubuntu7.6
Architecture: amd64
Date: Tue Jun 11 14:18:55 2019
SourcePackage: lighttpd
UpgradeStatus: Upgraded to bionic on 2018-06-10 (365 days ago)
modified.
modified.
mtime.conffile.
mtime.conffile.
Changed in lighttpd (Ubuntu): | |
importance: | Undecided → Critical |
tags: | added: regression-update |
description: | updated |
Changed in lighttpd (Debian): | |
status: | Unknown → Fix Released |
description: | updated |
description: | updated |
tags: | added: bionic-openssl-1.1 |
A Debian bug suggests that lighttpd < 1.4.51 is broken by libssl 1.1 /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 913558
https:/