Bug #2525

ssl.cipher-list not inherited into SNI

Added by nate over 2 years ago. Updated over 2 years ago.

Target version:
Start date:
Due date:
% Done:


Missing in 1.5.x:


When defining an ssl.cipher-list, it works for the 'default' HTTPS setup ($SERVER["socket"] 443 block), but when you utilize SNI ($HTTP["host"] blocks within the $SERVER["socket"] block) the ssl.cipher-list seems to not inherit into the host blocks and instead will default to include all of the available openssl ciphers (except SSL v2/v3 based if those are disabled).

Attempting to move ssl.cipher-list to inside of each host block unfortunately causes the individual SNI ssl.pemfile to stop being used and causes lighttpd to use whatever the default ssl.pemfile configured is (if one is set, otherwise it will fail to start lighttpd with a "ssl.pemfile has to be set" error).

Tested and confirmed to be an issue in at least 1.4.33 and 1.4.32

Associated revisions

Revision 2913
Added by stbuehler over 2 years ago

[ssl] fix SNI handling; only use key+cert+verify-client from SNI specific config (fixes #2525, CVE-2013-4508)

pull all values into all SSL_CTXs, but use only the local for verify-client; correct SNI name is no requirement,
so enforcing verification for a subset of SNI names doesn't actually
protect those.

From: Stefan B├╝hler <>


#1 Updated by nate over 2 years ago

*inherited (shoulda known better than to make a post when I just wake up...)

#2 Updated by stbuehler over 2 years ago

  • Subject changed from ssl.cipher-list not inhereted into SNI to ssl.cipher-list not inherited into SNI

#3 Updated by stbuehler over 2 years ago

  • Target version set to 1.4.34

#4 Updated by stbuehler over 2 years ago

Setting ssl.cipher-list in the same blocks as ssl.pemfile worked for me. If this breaks SNI for you please open another bug with details (minimal config that reproduces the problem, openssl s_client log).

You always need a default ssl.pemfile, as not every client supports SNI.

#5 Updated by stbuehler over 2 years ago

  • Status changed from New to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2913.

Also available in: Atom