Project

General

Profile

Bug #2837

HTTPS requests timeout when cert not set for socket

Added by billbrasky 12 months ago. Updated 12 months ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
TLS
Target version:
Start date:
2017-11-01
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:

Description

No error is given at startup, and lighttpd times out on HTTPS requests with this config:

$SERVER["socket"] == ":443" {
    $HTTP["host"] == "my.host.net" {
        ssl.engine = "enable" 
        ssl.use-sslv2 = "disable" 
        ssl.use-sslv3 = "disable" 
        ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH" 
        ssl.pemfile = "cert.pem" 
        ssl.ca-file = "fullchain.pem" 
    }
}

It does NOT hang when a cert is set at the socket-level:

$SERVER["socket"] == ":443" {
    ssl.engine = "enable" 
    ssl.use-sslv2 = "disable" 
    ssl.use-sslv3 = "disable" 
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH" 
    ssl.pemfile = "cert2.pem" 
    ssl.ca-file = "fullchain2.pem" 

    $HTTP["host"] == "my.host.net" {
        ssl.pemfile = "cert.pem" 
        ssl.ca-file = "fullchain.pem" 
    }
}

I would expect an error to be printed at startup if the first configuration is invalid.

Associated revisions

Revision bfef0907 (diff)
Added by gstrauss 12 months ago

[mod_openssl] error if ssl.engine in wrong section (fixes #2837)

error if ssl.engine in wrong section of config.
ssl.engine is valid only in global scope or $SERVER["socket"] condition

x-ref:
"HTTPS requests timeout when cert not set for socket"
https://redmine.lighttpd.net/issues/2837

History

#1

Updated by gstrauss 12 months ago

Seems like some warnings are in order.

More than a few ssl.* directives makes sense only when configured on the $SERVER["socket"], including ssl.engine = "enable"

#2

Updated by gstrauss 12 months ago

  • Status changed from New to Patch Pending
  • Target version changed from 1.4.x to 1.4.48
--- a/src/mod_openssl.c
+++ b/src/mod_openssl.c
@@ -989,6 +989,12 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
                 }
             }
         }
+
+        if (0 != i && s->ssl_enabled && config->comp != COMP_SERVER_SOCKET) {
+            log_error_write(srv, __FILE__, __LINE__, "s",
+                            "ssl.engine valid is only in global scope " 
+                            "or $SERVER[\"socket\"] condition");
+        }
     }

     if (0 != network_init_ssl(srv, p)) return HANDLER_ERROR;
#3

Updated by gstrauss 12 months ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom