Project

General

Profile

Feature #2857

TLS release

Added by lgarcin 3 months ago. Updated 3 months ago.

Status:
Invalid
Priority:
Low
Assignee:
-
Category:
-
Target version:
-
Start date:
2018-01-12
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

Hello,
We are using lighttpd 1.4.35 in an embedded device (cannot use the most recent one due to library issues). We activate the ssl engine : it works fine but although the client propose TLS1.0 to TLS1.2 in the hello message (chrome or IE), we only get an TLS 1.0 connexion. I try to use openssl 1.0.2n and openssl 1.0.1h but still get TLS1.0, never 1.1 or 1.2. What could be the issue ?
It seems that TLS1.1 and TLS1.2 are disable (?!) (openssl s_client -connect oursite:443 -tls1_2 failed (but succeeded with a website like www.google.com). This "openssl" is the same that the one used to build lighttpd).

Thanks

Our conf file :
server.document-root = "/srv/www/"

server.port = 443
ssl.engine = "enable"
ssl.pemfile = "/opt/AlpesTechno/srv.pem"
ssl.use-sslv3 = "disable"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH"

server.username = "ulighttpd"
server.groupname = "lighttpd"
server.errorlog = "/opt/AlpesTechno/lght.log"

mimetype.assign = (
".html" => "text/html; charset=utf-8",
".txt" => "text/plain",
".css" => "text/css",
".jpg" => "image/jpeg",
".png" => "image/png",
".js" => "application/x-javascript; charset=utf-8",
".pdf" => "application/pdf"
)

static-file.exclude-extensions = ( ".fcgi", ".php", ".rb", "~", ".inc" )
index-file.names = ( "index.php","index.html" )

$HTTP["host"] == "www2.example.org" {
server.document-root = "/srv/www/"
}
$HTTP["url"] =~ "oscillo\.png$"{
setenv.add-request-header=("Cache-Control"=>"private,no-cache,must-revalidate,no-store")
}

server.modules += ( "mod_fastcgi","mod_alias","mod_setenv" )

fastcgi.server = ( ".php" =>
(( "socket" => "/tmp/php-fastcgi.socket",
"bin-path" => "/usr/php/bin/arm-php-cgi -c /usr/php/lib/php.ini",
"max-procs" => 2,
"bin-environment" => (
"PHP_FCGI_CHILDREN" => "2",
"PHP_FCGI_MAX_REQUESTS" => "500")
))
)

History

#1

Updated by gstrauss 3 months ago

  • Category deleted (TLS)
  • Status changed from New to Invalid
  • Priority changed from Normal to Low
  • Target version deleted (1.4.x)

Sorry, this is not a feature request. Please post questions such as this in the forums.
https://redmine.lighttpd.net/projects/lighttpd/boards/2

We are using lighttpd 1.4.35 in an embedded device (cannot use the most recent one due to library issues).

You would do well to provide some justification why you're asking for help on a version of lighttpd almost 4 years old, and 18 releases behind the latest, and with versions of openssl which are end-of-lifed (except for openssl 1.0.2 series) What "library issues"? (Please answer in the forums, not here.

You need at least openssl 1.0.1 for TLSv1.2 support, and should use 1.0.2 or later, as openssl v1.0.1 has reached end-of-life.

Also available in: Atom