Project

General

Profile

Bug #83

document of nice and wonderful history of lighttpd :)

Added by Anonymous over 12 years ago. Updated almost 11 years ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
documentation
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

for now, all history i know about lighttpd is: she's founded at about "feb 2003". it would be wonderful to have detail history about her(possible including the author, Jan). this would greatly attract newbies' interesting, and advance the number of lighttp users. :)

-- Xuefer <xuefer

Associated revisions

Revision 04d510af (diff)
Added by gportay 6 months ago

[mod_openssl] ignore client verification error if not enforced

ignore client verification error if not enforced
e.g. not ssl.verifyclient.enforce = "enable"

github: closes #83

x-ref:
"ignore client verification error if not enforced"
https://github.com/lighttpd/lighttpd1.4/pull/83

Revision fb87ae86 (diff)
Added by gstrauss 6 months ago

[mod_openssl] safer_X509_NAME_oneline() (fixes #2693)

provide a safer X590_NAME_oneline() with return value semantics similar
to those of snprintf() and use safer_X509_NAME_oneline() to set
SSL_CLIENT_S_DN when client cert is validated.

The manpage for X509_NAME_oneline() says:

The functions X509_NAME_oneline() and X509_NAME_print() are legacy functions which produce a non standard output form, they don't handle multi character fields and have various quirks and inconsistencies. Their use is strongly discouraged in new applications.

Besides X509_NAME_oneline() function being deprecated, until fairly recently, there was a security issue with the function, too.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2176

The X509_NAME_oneline function in crypto/x509/x509_obj.c in OpenSSL before 1.0.1t and 1.0.2 before 1.0.2h allows remote attackers to obtain sensitive information from process stack memory or cause a denial of service (buffer over-read) via crafted EBCDIC ASN.1 data.

github: closes #63, closes #83

x-ref:
"support SSL_CLIENT_VERIFY & SSL_CLIENT_S_DN"
https://redmine.lighttpd.net/issues/2693
https://github.com/lighttpd/lighttpd1.4/pull/63
https://github.com/lighttpd/lighttpd1.4/pull/83

History

#1

Updated by jan over 12 years ago

  • Status changed from New to Fixed
  • Resolution set to fixed

Also available in: Atom