Bug #2239

lighttpd 1.4.26 does not support sha256 encoding algorithm for SSL certs

Added by jpc almost 3 years ago. Updated almost 2 years ago.

Status:FixedStart date:2010-07-22
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:core
Target version:1.4.29
Missing in 1.5.x:No

Description

I use SSL certs that have been generated using sha256 encoding algorithm.

When I connect to my server using wget, the connection fails with:

OpenSSL: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
OpenSSL: error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error
Unable to establish SSL connection.

In lighttpd error I see:

2010-07-21 00:29:59: (connections.c.294) SSL: 1 error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
2010-07-21 00:29:59: (connections.c.294) SSL: 1 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

Looking at lighttpd source, code I added a call to OpenSSL_add_all_algorithms() right after the library init by SSL_library_init() (this is in network.c)

This resolved my problem.

See proposed patch in attachment

ssl-encoding-algorithms.diff Magnifier - Proposed patch (357 Bytes) jpc, 2010-07-22 02:59

Associated revisions

Revision 2780
Added by stbuehler about 2 years ago

ssl: Support for Diffie-Hellman and Elliptic-Curve Diffie-Hellman key exchange (fixes #2301, #2246, #2239)

- add ssl.use-sslv3
 - load all algorithms

History

#2 Updated by jpc almost 3 years ago

Note that the patch has been tested with lighttpd 1.4.26

#3 Updated by jpc almost 3 years ago

Also, about the SSL certs: they have been generate using the option -digest sha256 for the openssl req command.

#4 Updated by jpc almost 3 years ago

  • Status changed from New to Patch Pending

#5 Updated by stbuehler almost 3 years ago

afaik you could compile lighty against libgnutls instead of openssl; would this change anything?
Do we need to check for this "feature"?

(I really hate openssl. can't they just provide one "init-all-we-need" function?...)

#6 Updated by jpc over 2 years ago

The build environment is using openssl not libgnutls and I can not change that unfortunately.

I have not tested gnutls with lighttpd, I don't know if it would work?

#7 Updated by Olaf-van-der-Spek over 2 years ago

Why isn't sha256 enabled by default?
Have you asked openssl to enable this by default?

#8 Updated by jpc over 2 years ago

That is a good question. I did not talk to openssl developers. It's an interesting suggestion as I had to do the same patch on another opensource project which depends on openssl as well.

#9 Updated by stbuehler about 2 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2780.

#10 Updated by stbuehler almost 2 years ago

  • Target version changed from 1.4.x to 1.4.29

Also available in: Atom