[UE] lighttpd1.4.66 ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope
Hello
Based on the latest 1.4.66 version and embedded Linux system, The lighttpd process in my device reported a segmentation fault and did not come up.
The crash information is as follows:
[20220916_16:00:43:922]2018-10-07 15:43[ 122.719985] lighttpd[12864]: segfault at 4dbfd7dc ip 4dbfd7dc sp 7fe64c6c error 14 [20220916_16:00:43:922]:52: (../../lighttpd-1.4.66/src/mod_openssl.c.2748) ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope [20220916_16:00:43:922]2018-10-07 15:43:52: (../../lighttpd-1.4.66/src/server.c.1291) Initialization of plugins failed. Going down. [20220916_16:00:43:922]Segmentation fault (core dumped).
Is there something wrong with my lighttpd configuration?
Thanks.
My configs are as below:
# lighttpd configuration file # # use it as a base for lighttpd 1.0.0 and above # # $Id: lighttpd.conf,v 1.7 2004/11/03 22:26:05 weigon Exp $ # Run-time base dir for GW executables # Does not work well. # Currently configured for 1 file system builds #var.basedir = "" #env.CONFIG_TI_ROOTGW_SEPARATE_FS_NAME ############ Options you really have to take care of #################### ## modules to load # at least mod_access and mod_accesslog should be loaded # all other module should only be loaded if really neccesary # - saves some time # - saves memory server.modules = ( "mod_rewrite", "mod_redirect", # "mod_alias", "mod_access", "mod_accesslog", # "mod_trigger_b4_dl", "mod_auth", # "mod_status", "mod_setenv", #ARRIS MOD CLM-53446 "mod_fastcgi", # "mod_proxy", # "mod_simple_vhost", # "mod_evhost", # "mod_userdir", "mod_cgi", # "mod_compress", # "mod_ssi", # "mod_usertrack", # "mod_expire", # "mod_secdownload", # "mod_rrdtool", "mod_openssl", ) ## A static document-root. For virtual hosting take a look at the ## mod_simple_vhost module. #server.document-root = "/usr/www/" server.document-root = "/" + "/usr/www/" ## where to send error-messages to server.errorlog = "/rdklogs/logs/lighttpderror.log" # files to check for if .../ is requested index-file.names = ( "index.php", "index.html", "index.htm", "default.htm", "intel-web-page.html" ) ## set the event-handler (read the performance section in the manual) # server.event-handler = "freebsd-kqueue" # needed on OS X # mimetype mapping mimetype.assign = ( ".pdf" => "application/pdf", ".sig" => "application/pgp-signature", ".spl" => "application/futuresplash", ".class" => "application/octet-stream", ".ps" => "application/postscript", ".torrent" => "application/x-bittorrent", ".dvi" => "application/x-dvi", ".gz" => "application/x-gzip", ".pac" => "application/x-ns-proxy-autoconfig", ".swf" => "application/x-shockwave-flash", ".tar.gz" => "application/x-tgz", ".tgz" => "application/x-tgz", ".tar" => "application/x-tar", ".zip" => "application/zip", ".mp3" => "audio/mpeg", ".m3u" => "audio/x-mpegurl", ".wma" => "audio/x-ms-wma", ".wax" => "audio/x-ms-wax", ".ogg" => "application/ogg", ".wav" => "audio/x-wav", ".gif" => "image/gif", ".jar" => "application/x-java-archive", ".jpg" => "image/jpeg", ".jpeg" => "image/jpeg", ".png" => "image/png", ".xbm" => "image/x-xbitmap", ".xpm" => "image/x-xpixmap", ".xwd" => "image/x-xwindowdump", ".css" => "text/css", ".html" => "text/html", ".htm" => "text/html", ".js" => "text/javascript", ".asc" => "text/plain", ".c" => "text/plain", ".cpp" => "text/plain", ".log" => "text/plain", ".conf" => "text/plain", ".text" => "text/plain", ".txt" => "text/plain", ".dtd" => "text/xml", ".xml" => "text/xml", ".mpeg" => "video/mpeg", ".mpg" => "video/mpeg", ".mov" => "video/quicktime", ".qt" => "video/quicktime", ".avi" => "video/x-msvideo", ".asf" => "video/x-ms-asf", ".asx" => "video/x-ms-asf", ".wmv" => "video/x-ms-wmv", ".bz2" => "application/x-bzip", ".tbz" => "application/x-bzip-compressed-tar", ".tar.bz2" => "application/x-bzip-compressed-tar", # default mime type "" => "application/octet-stream", ) # Use the "Content-Type" extended attribute to obtain mime type if possible #mimetype.use-xattr = "enable" ## send a different Server: header ## be nice and keep it at lighttpd server.tag = "lighttpd" #### accesslog module. This log will be huge during dDos attacking. accesslog.filename = "/rdklogs/logs/lighttpdaccess.log" ## deny access the file-extensions # # ~ is for backupfiles from vi, emacs, joe, ... # .inc is often used for code includes which should in general not be part # of the document-root url.access-deny = ( "~", ".inc", ".html", "actionHandler", "cgi-bin", "cmn", "common", "custom", "includes", "languages", "pcontrol" ) #$HTTP["url"] =~ "\.pdf$" { # server.range-requests = "disable" #} ## # which extensions should not be handle via static-file transfer # # .php, .pl, .fcgi are most often handled by mod_fastcgi or mod_cgi static-file.exclude-extensions = ( ".php", ".pl", ".fcgi", ".sh" ) ######### Options that are good to be but not neccesary to be changed ####### server.use-ipv6 = "enable" ## bind to port (default: 80) ## bind to localhost (default: all interfaces) #server.bind = "10.0.0.1" #$SERVER["socket"] == "255.255.255.255:80" {} ## error-handler for status 404 #server.error-handler-404 = "/error-handler.html" server.error-handler-404 = "/index.php" ## to help the rc.scripts server.pid-file = "/var/run/lighttpd.pid" ###### virtual hosts ## ## If you want name-based virtual hosting add the next three settings and load ## mod_simple_vhost ## ## document-root = ## virtual-server-root + virtual-server-default-host + virtual-server-docroot ## or ## virtual-server-root + http-host + virtual-server-docroot ## #simple-vhost.server-root = "/srv/www/vhosts/" #simple-vhost.default-host = "www.example.org" #simple-vhost.document-root = "/htdocs/" ## ## Format: <errorfile-prefix><status-code>.html ## -> ..../status-404.html for 'File not found' #server.errorfile-prefix = "/usr/share/lighttpd/errors/status-" #server.errorfile-prefix = "/srv/www/errors/status-" server.errorfile-prefix = "/usr/www/status-" ## virtual directory listings #dir-listing.activate = "enable" ## select encoding for directory listings #dir-listing.encoding = "utf-8" ## enable debugging #debug.log-request-header = "enable" #debug.log-response-header = "enable" #debug.log-request-handling = "enable" #debug.log-file-not-found = "enable" ### only root can use these options # # chroot() to directory (default: no chroot() ) #server.chroot = "/" ## change uid to <uid> (default: don't care) #server.username = "wwwrun" ## change uid to <uid> (default: don't care) #server.groupname = "wwwrun" #### compress module #compress.cache-dir = "/var/cache/lighttpd/compress/" #compress.filetype = ("text/plain", "text/html") #### proxy module ## read proxy.txt for more info #proxy.server = ( ".php" => # ( "localhost" => # ( # "host" => "192.168.0.101", # "port" => 80 # ) # ) # ) #### fastcgi module ## read fastcgi.txt for more info ## for PHP don't forget to set cgi.fix_pathinfo = 1 in the php.ini fastcgi.server = ( ".php" => ( "localhost" => ( # "host" => "10.0.0.1" , #ARRIS MOD START CLM-28750 # "host" => "0.0.0.0", "host" => "127.0.0.1", #ARRIS MOD END CLM-28750 "port" => 1026 , # "bin-path" => "/bin/php-cgi -c /etc/php.ini", # "bin-path" => "/fss/gw" + "/bin/php-cgi -c /etc/php.ini", "bin-path" => "/usr/bin/php-cgi -c /etc/php.ini", ) ) ) #### CGI module cgi.assign = ( ".pl" => "/usr/bin/perl", ".cgi" => "/usr/bin/perl", ".sh" => "/bin/sh" ) #### SSL engine #ssl.engine = "enable" #ssl.pemfile = "/etc/ssl/private/lighttpd.pem" #### status module #status.status-url = "/server-status" #status.config-url = "/server-config" #### auth module ## read authentication.txt for more info #auth.backend = "plain" #auth.backend.plain.userfile = "lighttpd.user" #auth.backend.plain.groupfile = "lighttpd.group" #auth.backend.ldap.hostname = "localhost" #auth.backend.ldap.base-dn = "dc=my-domain,dc=com" #auth.backend.ldap.filter = "(uid=$)" #auth.require = ( "/server-status" => # ( # "method" => "digest", # "realm" => "download archiv", # "require" => "user=jan" # ), # "/server-config" => # ( # "method" => "digest", # "realm" => "download archiv", # "require" => "valid-user" # ) # ) #### url handling modules (rewrite, redirect, access) #url.rewrite = ( "^/$" => "/server-status" ) #url.redirect = ( "^/wishlist/(.+)" => "http://www.123.org/$1" ) #### both rewrite/redirect support back reference to regex conditional using %n #$HTTP["host"] =~ "^www\.(.*)" { # url.redirect = ( "^/(.*)" => "http://%1/$1" ) #} # # define a pattern for the host url finding # %% => % sign # %0 => domain name + tld # %1 => tld # %2 => domain name without tld # %3 => subdomain 1 name # %4 => subdomain 2 name # #evhost.path-pattern = "/srv/www/vhosts/%3/htdocs/" #### expire module #expire.url = ( "/buggy/" => "access 2 hours", "/asdhas/" => "access plus 1 seconds 2 minutes") #### ssi #ssi.extension = ( ".shtml" ) #### rrdtool #rrdtool.binary = "/usr/bin/rrdtool" #rrdtool.db-name = "/var/lib/lighttpd/lighttpd.rrd" #### setenv #setenv.add-request-header = ( "TRAV_ENV" => "mysql://user@host/db" ) #setenv.add-response-header = ( "X-Secret-Message" => "42" ) ## for mod_trigger_b4_dl # trigger-before-download.gdbm-filename = "/var/lib/lighttpd/trigger.db" # trigger-before-download.memcache-hosts = ( "127.0.0.1:11211" ) # trigger-before-download.trigger-url = "^/trigger/" # trigger-before-download.download-url = "^/download/" # trigger-before-download.deny-url = "http://127.0.0.1/index.html" # trigger-before-download.trigger-timeout = 10 #### variable usage: ## variable name without "." is auto prefixed by "var." and becomes "var.bar" #bar = 1 #var.mystring = "foo" ## integer add #bar += 1 ## string concat, with integer cast as string, result: "www.foo1.com" #server.name = "www." + mystring + var.bar + ".com" ## array merge #index-file.names = (foo + ".php") + index-file.names #index-file.names += (foo + ".php") #### include #include /etc/lighttpd/lighttpd-inc.conf ## same as above if you run: "lighttpd -f /etc/lighttpd/lighttpd.conf" #include "lighttpd-inc.conf" #### include_shell #include_shell "echo var.a=1" ## the above is same as: #var.a=1 setenv.add-response-header += ( "X-Content-Type-Options" => "nosniff" ) server.port = 80 server.bind = "brlan0" $HTTP["scheme"] == "http" { $SERVER["socket"] == "brlan0:51515" { } else $HTTP["host"] == "192.168.0.1" { } else $HTTP["host"] == "192.168.100.1" { } else $HTTP["host"] == "[fe80::d63f:cbff:fe86:1d6e]" { } else $HTTP["host"] =~ ".*" { url.redirect = (".*" => "https://%0$0") } } $SERVER["socket"] == "wan0:80" { server.use-ipv6 = "enable" } $SERVER["socket"] == "brlan0:443" { server.use-ipv6 = "enable" ssl.engine = "enable" ssl.ca-file = "/tmp/cacert.pem" ssl.dh-file = "/etc/dhparam.pem" ssl.honor-cipher-order = "enable" ssl.cipher-list = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256" } $SERVER["socket"] == "wan0:443" { server.use-ipv6 = "enable" ssl.engine = "enable" ssl.ca-file = "/tmp/cacert.pem" ssl.dh-file = "/etc/dhparam.pem" ssl.honor-cipher-order = "enable" ssl.cipher-list = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256" } $SERVER["socket"] == "erouter0:8181" { server.use-ipv6 = "enable" ssl.engine = "enable" ssl.ca-file = "/tmp/cacert.pem" } $SERVER["socket"] == "brlan0:51515" { server.use-ipv6 = "enable" server.document-root = "/usr/www/pcontrol/" } $SERVER["socket"] == "brlan0:50011" { server.use-ipv6 = "enable" ssl.engine = "enable" ssl.ca-file = "/tmp/cacert.pem" server.document-root = "/usr/lca/" accesslog.filename = "/var/tmp/lca_access.log" accesslog.syslog-level = 7 accesslog.format = "%h %V %u %t \"%r\" %>s %b \"%{Cookie}i\" \"%{Content-Type}i\" \"%{Content-Length}i\" \"%{Content-Encoding}i\" \"%{User-Agent}i\" duration:%T/%D" fastcgi.server = ( "" => ( "localhost" => ( "socket" => "/tmp/php-cgi.socket", "bin-path" => "/usr/bin/php-cgi -c /etc/lca_php.ini", "max-procs" => 2 ) ) ) }
Replies (6)
RE: lighttpd1.4.66 ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope - Added by leo1 9 months ago
leo1 wrote:
Hello
Based on the latest 1.4.66 version and embedded Linux system, The lighttpd process in my device reported a segmentation fault and did not come up.
The crash information is as follows:
[20220916_16:00:43:922]2018-10-07 15:43[ 122.719985] lighttpd12864: segfault at 4dbfd7dc ip 4dbfd7dc sp 7fe64c6c error 14
[20220916_16:00:43:922]:52: (../../lighttpd-1.4.66/src/mod_openssl.c.2748) ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope
[20220916_16:00:43:922]2018-10-07 15:43:52: (../../lighttpd-1.4.66/src/server.c.1291) Initialization of plugins failed. Going down.
[20220916_16:00:43:922]Segmentation fault (core dumped).Is there something wrong with my lighttpd configuration?
Thanks.
lighttpd.conf (14.7 KB) lighttpd.conf |
RE: lighttpd1.4.66 ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope - Added by leo1 9 months ago
Hi
My gdb debug info is as follows:
Core was generated by `lighttpd -tt -f /var/lighttpd.conf'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x4e8c27dc in ?? ()
(gdb) bt
#0 0x4e8c27dc in ?? ()
#1 0x4e601bae in OPENSSL_cleanup () from /usr/lib/libcrypto.so.1.1
#2 0x4e13f093 in ?? ()
#3 0x00000000 in ?? ()
I had a similar segfault in lighttpd 1.4.53 version before, now I upgraded to the latest lighttpd 1.4.66
version and the error still occurs. Is the library version of my openssl wrong? This problem has troubled
me for a long time. Any help from you is greatly appreciated.
RE: lighttpd1.4.66 ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope - Added by gstrauss 9 months ago
[20220916_16:00:43:922]:52: (../../lighttpd-1.4.66/src/mod_openssl.c.2748) ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope [20220916_16:00:43:922]2018-10-07 15:43:52: (../../lighttpd-1.4.66/src/server.c.1291) Initialization of plugins failed. Going down.
Is there something wrong with my lighttpd configuration?
Yes. See above error message and see the lighttpd documentation.
Has anything changed since #3159 or https://redmine.lighttpd.net/boards/2/topics/10542 ?
You still have failed to read the documentation
RE: lighttpd1.4.66 ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope - Added by gstrauss 9 months ago
Your config is missing ssl.pemfile
in some $SERVER["socket"]
containing ssl.engine = "enable"
ssl.dh-file
is deprecated.
RE: lighttpd1.4.66 ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope - Added by leo1 9 months ago
Hi gstrauss.Thanks for your help, I have added server.pem.
But the segfault still appears. I suspect that my openssl library version does not match.
My openssl library version is OpenSSL 1.1.1l.Is there any way to confirm it?
Thanks.
RE: [UE] lighttpd1.4.66 ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope - Added by leo1 8 months ago
I found that I deleted the ssl.ca-file configuration in lighttpd.conf, the segfault problem no longer appeared, and the lighttpd process was running normally. But when I try to log into the GUI, I find that I can't log in. I suspect the cacert.pem file in the tmp directory needs to be updated or the new lighttpd version replaces the ssl.ca-file with a different configuration