Project

General

Profile

Actions

Bug #2525

closed

ssl.cipher-list not inherited into SNI

Added by nate over 10 years ago. Updated over 10 years ago.

Status:
Fixed
Priority:
Normal
Category:
core
Target version:
ASK QUESTIONS IN Forums:

Description

When defining an ssl.cipher-list, it works for the 'default' HTTPS setup ($SERVER["socket"] 443 block), but when you utilize SNI ($HTTP["host"] blocks within the $SERVER["socket"] block) the ssl.cipher-list seems to not inherit into the host blocks and instead will default to include all of the available openssl ciphers (except SSL v2/v3 based if those are disabled).

Attempting to move ssl.cipher-list to inside of each host block unfortunately causes the individual SNI ssl.pemfile to stop being used and causes lighttpd to use whatever the default ssl.pemfile configured is (if one is set, otherwise it will fail to start lighttpd with a "ssl.pemfile has to be set" error).

Tested and confirmed to be an issue in at least 1.4.33 and 1.4.32

Actions #1

Updated by nate over 10 years ago

*inherited (shoulda known better than to make a post when I just wake up...)

Actions #2

Updated by stbuehler over 10 years ago

  • Subject changed from ssl.cipher-list not inhereted into SNI to ssl.cipher-list not inherited into SNI
Actions #3

Updated by stbuehler over 10 years ago

  • Target version set to 1.4.34
Actions #4

Updated by stbuehler over 10 years ago

Setting ssl.cipher-list in the same blocks as ssl.pemfile worked for me. If this breaks SNI for you please open another bug with details (minimal config that reproduces the problem, openssl s_client log).

You always need a default ssl.pemfile, as not every client supports SNI.

Actions #5

Updated by stbuehler over 10 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2913.

Actions

Also available in: Atom