Bug #2207
closednull SSL_CTX for TLS server name
Description
I keep getting this error in my error.log file and it crashes lighttpd
2010-05-17 17:01:03: (network.c.94) SSL: null SSL_CTX for TLS server name DOMAIN.com 2010-05-17 17:01:03: (connections.c.294) SSL: 1 error:1408A09D:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext
I tracked the code down and according to the comment inside the if I should never get to that part of the code.
if (NULL == con->conf.ssl_ctx) {
/* ssl_ctx <=> pemfile was set <=> ssl_ctx got patched: so this should never happen */
log_error_write(srv, __FILE__, __LINE__, "ssb", "SSL:",
"null SSL_CTX for TLS server name", con->tlsext_server_name);
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
It is a very intimidate error we only have one internal site on this lighttpd instance so there is very little traffic but I get these errors maybe 2-3 times a day.
we are running exactly the same lighttpd version on a production server with around 20 sites and have no issues like this.
I had a look in the bugs but could not find one to do with this problem, so hopefully Im not duplicating a bug report.
Hope someone can help.
Files
Updated by nitrox almost 14 years ago
- Status changed from New to Need Feedback
Lighty version? Test with current or 1.4.27rc1 -> blog.lighttpd.net please.
Updated by penfold45 almost 14 years ago
sorry thought I put in the versions
lighttpd/1.4.26
freebsd 8.0-STABLE
Updated by stbuehler almost 14 years ago
- Status changed from Need Feedback to Missing Feedback
Updated by penfold45 almost 14 years ago
- Status changed from Missing Feedback to Reopened
How is this "missing feedback" I have answered the question asked. I still get the same problem on the latest version of lighttpd. If anyone has any further questions I am more than willing to answer them.
Updated by stbuehler almost 14 years ago
- Status changed from Reopened to Need Feedback
You did not report that you tried the latest prerelease (did you mean 1.4.27rc1 or svn or 1.4.26 with "latest version"?)
If you tried the prerelease it would be nice if you could show us your config.
Updated by penfold45 almost 14 years ago
lighttpd/1.4.26 as stated in my comment about a month ago
Updated by spaam almost 14 years ago
Can you try with latest prerelease that you can find on blog.lighttpd.net if the problem still exists? :) 1.4.27rc1
Updated by magik over 13 years ago
I'm using lighttpd 1.4.26 on FreeBSD.
On FreeBSD 7.3, works fine, but one week ago I updated FreeBSD to 8.1
and I have this save error in logs,
but only on sites that use ssl, sites server on plain http works correctly.
Now I updated lighttpd to 1.4.27rc1 and this error still exists.
Updated by stbuehler over 13 years ago
@magik: I'd like to see your config (and your error messages), so we can try to reproduce it. thanks!
Updated by magik over 13 years ago
- File lighttpd.conf lighttpd.conf added
- File lighttpd.php.conf lighttpd.php.conf added
- File lighttpd.mime lighttpd.mime added
My config files I'm sending in attachments (as You can see, there is only mx.roorback.net vhost with ssl).
And in error log I often see, something like that:
2010-08-06 17:24:19: (network.c.94) SSL: null SSL_CTX for TLS server name mx.roorback.net
2010-08-06 17:24:19: (connections.c.294) SSL: 1 error:1408A09D:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext
2010-08-06 17:24:19: (network.c.94) SSL: null SSL_CTX for TLS server name mx.roorback.net
2010-08-06 17:24:19: (connections.c.294) SSL: 1 error:1408A09D:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext
2010-08-06 17:24:19: (network.c.94) SSL: null SSL_CTX for TLS server name mx.roorback.net
2010-08-06 17:24:19: (connections.c.294) SSL: 1 error:1408A09D:SSL routines:SSL3_GET_CLIENT_HELLO:clienthello tlsext
and lighttpd is build against openssl 0.9.8n
Updated by nitrox over 13 years ago
Make the ssl part global. The host is sont only after a connection to the ssl ip:port has been made.
Updated by stbuehler over 13 years ago
- Target version set to 1.4.27
So this is basically a very broken config. perhaps we should enforce that $SERVER["socket"] == conditionals are always global.
Updated by magik over 13 years ago
Now, I moved $SERVER["socket"] section to global, but error still exist.
Updated by nitrox over 13 years ago
"null SSL_CTX for TLS server name" means your version of openssl doesn´t support TLS servername.
Please upgrade openssl.
Updated by magik over 13 years ago
In base FreeBSD 8.1 openssl is in version 0.9.8n.
And I saw in changelog, that lighttpd try to use SNI when openssl is in v. 0.9.8f or higher.
Maybe there is another method to decide to use SNI or not?
Despite this, when I linked lighttpd with openssl 1.0.0a (from ports),
SSL is working correctly.
Thanks
Updated by stbuehler over 13 years ago
- Target version changed from 1.4.27 to 1.4.x
Updated by nitrox almost 13 years ago
- Subject changed from "null SSL_CTX for TLS server name" to null SSL_CTX for TLS server name
- Target version changed from 1.4.x to 1.4.29
Updated by stbuehler almost 13 years ago
- Target version changed from 1.4.29 to 1.4.x
Updated by stbuehler over 10 years ago
- Status changed from Need Feedback to Missing Feedback
- Target version deleted (
1.4.x)
No reproducible setup with global $SERVER["socket"] conditionals.
Updated by gstrauss 4 months ago
- Status changed from Missing Feedback to Fixed
- ASK QUESTIONS IN Forums set to No
Modern lighttpd screams loudly about misconfigurations such as this one: nesting $SERVER["socket"] inside other directives.
In older lighttpd, "null SSL_CTX for TLS server name" occurs when a request comes in on port 443 and there is no ssl.pemfile configured for the SNI or for the socket default.
$HTTP["host"] == "mx.roorback.net" {
server.document-root = "/usr/local/www/roundcube"
include "lighttpd.php.conf"
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/usr/local/etc/SSL/mx.pem"
ssl.ca-file = "/usr/local/etc/SSL/ca-bundle.pem"
}
}
Also available in: Atom