ssl.cipher-list not inherited into SNI
|Missing in 1.5.x:||No|
When defining an ssl.cipher-list, it works for the 'default' HTTPS setup ($SERVER["socket"] 443 block), but when you utilize SNI ($HTTP["host"] blocks within the $SERVER["socket"] block) the ssl.cipher-list seems to not inherit into the host blocks and instead will default to include all of the available openssl ciphers (except SSL v2/v3 based if those are disabled).
Attempting to move ssl.cipher-list to inside of each host block unfortunately causes the individual SNI ssl.pemfile to stop being used and causes lighttpd to use whatever the default ssl.pemfile configured is (if one is set, otherwise it will fail to start lighttpd with a "ssl.pemfile has to be set" error).
Tested and confirmed to be an issue in at least 1.4.33 and 1.4.32
[ssl] fix SNI handling; only use key+cert+verify-client from SNI specific config (fixes #2525, CVE-2013-4508)
pull all ssl.ca-file values into all SSL_CTXs, but use only the local
ssl.ca-file for verify-client; correct SNI name is no requirement,
so enforcing verification for a subset of SNI names doesn't actually
From: Stefan Bühler <firstname.lastname@example.org>
#4 Updated by stbuehler about 1 year ago
ssl.cipher-list in the same blocks as
ssl.pemfile worked for me. If this breaks SNI for you please open another bug with details (minimal config that reproduces the problem,
openssl s_client log).
You always need a default
ssl.pemfile, as not every client supports SNI.
Also available in: Atom