Lighttpd

Since a "security update" (at least in the Debian version) of lighttpd in November 2013, SSL doesn't correclty work with SNI, anymore.

The problem is probably, that all ca-files now end up in the same SSL_CTX, which breaks some very common certificate-setups (and silently broke my previously perfectly-working setup):

1. Cross-signed certificates don't work anymore:
   Several root-authorities (and intermediate certificates) cross-sign each other. This shouldn't cause any problem. But after the update, this can break SSL with lighttpd, since certificate-chains like:

    Cert1 <- C <- A <- B
    Cert2 <- D <- B <- A

   don't work anymore. And such certificate-chains are quite common.
   Real-world-example with 2 SNI-hosts/certificates:

    Cert1                           signed by PositiveSSL CA 2
    PositiveSSL CA 2                signed by AddTrust External CA Root
    AddTrust External CA Root       signed by UTN - DATACorp SGC
   
    Cert2                           signed by EssentialSSL CA
    EssentialSSL CA                 signed by COMODO Certification Authority
    COMODO Certification Authority  signed by UTN - DATACorp SGC
    UTN - DATACorp SGC              signed by AddTrust External CA Root

   The only way to work around this problem, is to remove one of the intermediate- certificates -- which isn't a solution and has serious drawbacks:

   • Browsers have different built-in root-certificates, so if you remove a intermediate-certificate, the certificate-verification may fail in some browsers.
   • When you buy a SSL-certificate, you usually receive a certificate and all intermediate certificates. Before the update, you could simply create pem- and ca-files for each SNI-host separately, and add them to lighttpd.
     Now, after the update, this isn't possible anymore; instead, every time an SSL-certificate is added/updated, you have to examine all certificate-chains for cross-signed certificates, and try to detect and eliminate any cross-signings.
2. Different versions of intermediate-certificates don't work anymore.
   As far as I understood, lighttpd now requires that each certificate has an unique Issuer-Subject-combination. If this is the case, SSL in lighttpd is seriously broken!!

   Usually, certificate authorities update their (intermediate-)certificates from time to time, and the validity-time of these certificates overlap. So, at the same time, there are e.g. 2 certificates with the same Issuer-Subject-combination but a different Validity. This is absolutely necessary to update certificates, and results in certificate-chains like:

    Cert1 <- A(2008-2018) <- B
    Cert2 <- A(2012-2022) <- B 

   So, if lighttpd really requires that each Issuer-Subject-combination is unique, such chains aren't possible anymore, and SSL+SNI isn't usable at all with lighttpd.
   If lighttpd only requires that each Issuer-Subject-Validity-combination is unique, this is probably not a problem.

   So, does lighttpd require Issuer+Subject or Issuer+Subject+Validity to be unique?

• Examine all certificate-chains every time a certificate is added/updated, and try to eliminate cross-signings, hope that this doesn't break any certificate-validations and hope that there will be no certificate-updates.
• Downgrade to the lighttpd-version before the update, and live with the security-holes.
• Don't use SNI.
• Switch to a different webserver.

• Add some notes about this behavior and its problems to the lighttpd-documentation.
• Modify ligttpd, so that it doesn't try to merge the ca-files.
  (or better: modify lighttpd or OpenSSL, so it simply sends out the given ca-files, withouth trying to be "smart" by analyzing them.

More details: see Debian Bug#729555, https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=729555