Project

General

Profile

[UE] lighttpd1.4.66 ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope

Added by leo1 14 days ago

Hello
Based on the latest 1.4.66 version and embedded Linux system, The lighttpd process in my device reported a segmentation fault and did not come up.
The crash information is as follows:

[20220916_16:00:43:922]2018-10-07 15:43[  122.719985] lighttpd[12864]: segfault at 4dbfd7dc ip 4dbfd7dc sp 7fe64c6c error 14
[20220916_16:00:43:922]:52: (../../lighttpd-1.4.66/src/mod_openssl.c.2748) ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope
[20220916_16:00:43:922]2018-10-07 15:43:52: (../../lighttpd-1.4.66/src/server.c.1291) Initialization of plugins failed. Going down.
[20220916_16:00:43:922]Segmentation fault (core dumped).

Is there something wrong with my lighttpd configuration?
Thanks.

My configs are as below:

# lighttpd configuration file
#
# use it as a base for lighttpd 1.0.0 and above
#
# $Id: lighttpd.conf,v 1.7 2004/11/03 22:26:05 weigon Exp $

# Run-time base dir for GW executables
# Does not work well.
# Currently configured for 1 file system builds
#var.basedir = "" #env.CONFIG_TI_ROOTGW_SEPARATE_FS_NAME

############ Options you really have to take care of ####################

## modules to load
# at least mod_access and mod_accesslog should be loaded
# all other module should only be loaded if really neccesary
# - saves some time
# - saves memory
server.modules              = (
                                "mod_rewrite",
                                "mod_redirect",
#                               "mod_alias",
                                "mod_access",
                                "mod_accesslog",
#                               "mod_trigger_b4_dl",
                                "mod_auth",
#                               "mod_status",
                                "mod_setenv",          #ARRIS MOD CLM-53446
                                "mod_fastcgi",
#                               "mod_proxy",
#                               "mod_simple_vhost",
#                               "mod_evhost",
#                               "mod_userdir",
                                "mod_cgi",
#                               "mod_compress",
#                               "mod_ssi",
#                               "mod_usertrack",
#                               "mod_expire",
#                               "mod_secdownload",
#                               "mod_rrdtool",
                                "mod_openssl",
                                 )

## A static document-root. For virtual hosting take a look at the
## mod_simple_vhost module.
#server.document-root        = "/usr/www/" 
server.document-root        = "/" + "/usr/www/" 

## where to send error-messages to
server.errorlog            = "/rdklogs/logs/lighttpderror.log" 

# files to check for if .../ is requested
index-file.names            = ( "index.php", "index.html",
                                "index.htm", "default.htm", "intel-web-page.html" )

## set the event-handler (read the performance section in the manual)
# server.event-handler = "freebsd-kqueue" # needed on OS X

# mimetype mapping
mimetype.assign             = (
  ".pdf"          =>      "application/pdf",
  ".sig"          =>      "application/pgp-signature",
  ".spl"          =>      "application/futuresplash",
  ".class"        =>      "application/octet-stream",
  ".ps"           =>      "application/postscript",
  ".torrent"      =>      "application/x-bittorrent",
  ".dvi"          =>      "application/x-dvi",
  ".gz"           =>      "application/x-gzip",
  ".pac"          =>      "application/x-ns-proxy-autoconfig",
  ".swf"          =>      "application/x-shockwave-flash",
  ".tar.gz"       =>      "application/x-tgz",
  ".tgz"          =>      "application/x-tgz",
  ".tar"          =>      "application/x-tar",
  ".zip"          =>      "application/zip",
  ".mp3"          =>      "audio/mpeg",
  ".m3u"          =>      "audio/x-mpegurl",
  ".wma"          =>      "audio/x-ms-wma",
  ".wax"          =>      "audio/x-ms-wax",
  ".ogg"          =>      "application/ogg",
  ".wav"          =>      "audio/x-wav",
  ".gif"          =>      "image/gif",
  ".jar"          =>      "application/x-java-archive",
  ".jpg"          =>      "image/jpeg",
  ".jpeg"         =>      "image/jpeg",
  ".png"          =>      "image/png",
  ".xbm"          =>      "image/x-xbitmap",
  ".xpm"          =>      "image/x-xpixmap",
  ".xwd"          =>      "image/x-xwindowdump",
  ".css"          =>      "text/css",
  ".html"         =>      "text/html",
  ".htm"          =>      "text/html",
  ".js"           =>      "text/javascript",
  ".asc"          =>      "text/plain",
  ".c"            =>      "text/plain",
  ".cpp"          =>      "text/plain",
  ".log"          =>      "text/plain",
  ".conf"         =>      "text/plain",
  ".text"         =>      "text/plain",
  ".txt"          =>      "text/plain",
  ".dtd"          =>      "text/xml",
  ".xml"          =>      "text/xml",
  ".mpeg"         =>      "video/mpeg",
  ".mpg"          =>      "video/mpeg",
  ".mov"          =>      "video/quicktime",
  ".qt"           =>      "video/quicktime",
  ".avi"          =>      "video/x-msvideo",
  ".asf"          =>      "video/x-ms-asf",
  ".asx"          =>      "video/x-ms-asf",
  ".wmv"          =>      "video/x-ms-wmv",
  ".bz2"          =>      "application/x-bzip",
  ".tbz"          =>      "application/x-bzip-compressed-tar",
  ".tar.bz2"      =>      "application/x-bzip-compressed-tar",
  # default mime type
  ""              =>      "application/octet-stream",
 )

# Use the "Content-Type" extended attribute to obtain mime type if possible
#mimetype.use-xattr        = "enable" 

## send a different Server: header
## be nice and keep it at lighttpd
server.tag                 = "lighttpd" 

#### accesslog module. This log will be huge during dDos attacking.
accesslog.filename         = "/rdklogs/logs/lighttpdaccess.log" 

## deny access the file-extensions
#
# ~    is for backupfiles from vi, emacs, joe, ...
# .inc is often used for code includes which should in general not be part
#      of the document-root
url.access-deny             = ( "~", ".inc", ".html", "actionHandler", "cgi-bin", "cmn", "common", "custom", "includes", "languages", "pcontrol" )

#$HTTP["url"] =~ "\.pdf$" {
#  server.range-requests = "disable" 
#}

##
# which extensions should not be handle via static-file transfer
#
# .php, .pl, .fcgi are most often handled by mod_fastcgi or mod_cgi
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi", ".sh" )

######### Options that are good to be but not neccesary to be changed #######

server.use-ipv6 = "enable" 

## bind to port (default: 80)

## bind to localhost (default: all interfaces)
#server.bind                = "10.0.0.1" 
#$SERVER["socket"] == "255.255.255.255:80" {}

## error-handler for status 404
#server.error-handler-404   = "/error-handler.html" 
server.error-handler-404   = "/index.php" 

## to help the rc.scripts
server.pid-file             = "/var/run/lighttpd.pid" 

###### virtual hosts
##
##  If you want name-based virtual hosting add the next three settings and load
##  mod_simple_vhost
##
## document-root =
##   virtual-server-root + virtual-server-default-host + virtual-server-docroot
## or
##   virtual-server-root + http-host + virtual-server-docroot
##
#simple-vhost.server-root   = "/srv/www/vhosts/" 
#simple-vhost.default-host  = "www.example.org" 
#simple-vhost.document-root = "/htdocs/" 

##
## Format: <errorfile-prefix><status-code>.html
## -> ..../status-404.html for 'File not found'
#server.errorfile-prefix    = "/usr/share/lighttpd/errors/status-" 
#server.errorfile-prefix    = "/srv/www/errors/status-" 
server.errorfile-prefix    =  "/usr/www/status-" 

## virtual directory listings
#dir-listing.activate       = "enable" 
## select encoding for directory listings
#dir-listing.encoding        = "utf-8" 

## enable debugging
#debug.log-request-header   = "enable" 
#debug.log-response-header  = "enable" 
#debug.log-request-handling = "enable" 
#debug.log-file-not-found   = "enable" 

### only root can use these options
#
# chroot() to directory (default: no chroot() )
#server.chroot              = "/" 

## change uid to <uid> (default: don't care)
#server.username            = "wwwrun" 

## change uid to <uid> (default: don't care)
#server.groupname           = "wwwrun" 

#### compress module
#compress.cache-dir         = "/var/cache/lighttpd/compress/" 
#compress.filetype          = ("text/plain", "text/html")

#### proxy module
## read proxy.txt for more info
#proxy.server               = ( ".php" =>
#                               ( "localhost" =>
#                                 (
#                                   "host" => "192.168.0.101",
#                                   "port" => 80
#                                 )
#                               )
#                             )

#### fastcgi module
## read fastcgi.txt for more info
## for PHP don't forget to set cgi.fix_pathinfo = 1 in the php.ini
fastcgi.server            = ( ".php" =>
                                ( "localhost" =>
                                    (
#                                        "host" => "10.0.0.1" ,
#ARRIS MOD START CLM-28750
#                                        "host" => "0.0.0.0",
                                        "host" => "127.0.0.1",
#ARRIS MOD END CLM-28750
                                        "port" => 1026 ,
#                                        "bin-path" => "/bin/php-cgi -c /etc/php.ini",
#                                        "bin-path" => "/fss/gw" + "/bin/php-cgi -c /etc/php.ini",
                                        "bin-path" => "/usr/bin/php-cgi -c /etc/php.ini",
                                    )
                                )
                            )

#### CGI module
cgi.assign                = ( ".pl"  => "/usr/bin/perl",
                              ".cgi" => "/usr/bin/perl",
                              ".sh"  => "/bin/sh" )

#### SSL engine
#ssl.engine                 = "enable" 
#ssl.pemfile                = "/etc/ssl/private/lighttpd.pem" 

#### status module
#status.status-url          = "/server-status" 
#status.config-url          = "/server-config" 

#### auth module
## read authentication.txt for more info
#auth.backend               = "plain" 
#auth.backend.plain.userfile = "lighttpd.user" 
#auth.backend.plain.groupfile = "lighttpd.group" 

#auth.backend.ldap.hostname = "localhost" 
#auth.backend.ldap.base-dn  = "dc=my-domain,dc=com" 
#auth.backend.ldap.filter   = "(uid=$)" 

#auth.require               = ( "/server-status" =>
#                               (
#                                 "method"  => "digest",
#                                 "realm"   => "download archiv",
#                                 "require" => "user=jan" 
#                               ),
#                               "/server-config" =>
#                               (
#                                 "method"  => "digest",
#                                 "realm"   => "download archiv",
#                                 "require" => "valid-user" 
#                               )
#                             )

#### url handling modules (rewrite, redirect, access)
#url.rewrite                = ( "^/$"             => "/server-status" )
#url.redirect               = ( "^/wishlist/(.+)" => "http://www.123.org/$1" )
#### both rewrite/redirect support back reference to regex conditional using %n
#$HTTP["host"] =~ "^www\.(.*)" {
#  url.redirect            = ( "^/(.*)" => "http://%1/$1" )
#}

#
# define a pattern for the host url finding
# %% => % sign
# %0 => domain name + tld
# %1 => tld
# %2 => domain name without tld
# %3 => subdomain 1 name
# %4 => subdomain 2 name
#
#evhost.path-pattern        = "/srv/www/vhosts/%3/htdocs/" 

#### expire module
#expire.url                 = ( "/buggy/" => "access 2 hours", "/asdhas/" => "access plus 1 seconds 2 minutes")

#### ssi
#ssi.extension              = ( ".shtml" )

#### rrdtool
#rrdtool.binary             = "/usr/bin/rrdtool" 
#rrdtool.db-name            = "/var/lib/lighttpd/lighttpd.rrd" 

#### setenv
#setenv.add-request-header  = ( "TRAV_ENV" => "mysql://user@host/db" )
#setenv.add-response-header = ( "X-Secret-Message" => "42" )

## for mod_trigger_b4_dl
# trigger-before-download.gdbm-filename = "/var/lib/lighttpd/trigger.db" 
# trigger-before-download.memcache-hosts = ( "127.0.0.1:11211" )
# trigger-before-download.trigger-url = "^/trigger/" 
# trigger-before-download.download-url = "^/download/" 
# trigger-before-download.deny-url = "http://127.0.0.1/index.html" 
# trigger-before-download.trigger-timeout = 10

#### variable usage:
## variable name without "." is auto prefixed by "var." and becomes "var.bar" 
#bar = 1
#var.mystring = "foo" 

## integer add
#bar += 1
## string concat, with integer cast as string, result: "www.foo1.com" 
#server.name = "www." + mystring + var.bar + ".com" 
## array merge
#index-file.names = (foo + ".php") + index-file.names
#index-file.names += (foo + ".php")

#### include
#include /etc/lighttpd/lighttpd-inc.conf
## same as above if you run: "lighttpd -f /etc/lighttpd/lighttpd.conf" 
#include "lighttpd-inc.conf" 

#### include_shell
#include_shell "echo var.a=1" 
## the above is same as:
#var.a=1

setenv.add-response-header += ( "X-Content-Type-Options" => "nosniff" )
server.port = 80
server.bind = "brlan0" 
$HTTP["scheme"] == "http" {
  $SERVER["socket"] == "brlan0:51515" { 
  }
  else $HTTP["host"] == "192.168.0.1" {
  }
  else $HTTP["host"] == "192.168.100.1" {
  }
  else $HTTP["host"] == "[fe80::d63f:cbff:fe86:1d6e]" {
  }
  else $HTTP["host"] =~ ".*" {
    url.redirect = (".*" => "https://%0$0")
  }
}
$SERVER["socket"] == "wan0:80" { server.use-ipv6 = "enable" }
$SERVER["socket"] == "brlan0:443" { server.use-ipv6 = "enable" ssl.engine = "enable" ssl.ca-file = "/tmp/cacert.pem" ssl.dh-file = "/etc/dhparam.pem" ssl.honor-cipher-order = "enable" ssl.cipher-list = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256" }
$SERVER["socket"] == "wan0:443" { server.use-ipv6 = "enable" ssl.engine = "enable" ssl.ca-file = "/tmp/cacert.pem" ssl.dh-file = "/etc/dhparam.pem" ssl.honor-cipher-order = "enable" ssl.cipher-list = "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256" }
$SERVER["socket"] == "erouter0:8181" { server.use-ipv6 = "enable" ssl.engine = "enable" ssl.ca-file = "/tmp/cacert.pem" }
$SERVER["socket"] == "brlan0:51515" { server.use-ipv6 = "enable" server.document-root = "/usr/www/pcontrol/" }

$SERVER["socket"] == "brlan0:50011"    {
    server.use-ipv6      = "enable" 
    ssl.engine           = "enable" 
    ssl.ca-file          = "/tmp/cacert.pem" 
    server.document-root = "/usr/lca/" 
    accesslog.filename   = "/var/tmp/lca_access.log" 
    accesslog.syslog-level = 7
    accesslog.format = "%h %V %u %t \"%r\" %>s %b \"%{Cookie}i\" \"%{Content-Type}i\" \"%{Content-Length}i\" \"%{Content-Encoding}i\" \"%{User-Agent}i\" duration:%T/%D" 
    fastcgi.server  = ( "" =>
        ( "localhost" =>
            (
                "socket" => "/tmp/php-cgi.socket",
                "bin-path" => "/usr/bin/php-cgi -c /etc/lca_php.ini",
                "max-procs" => 2
            )
        )
    )
}


Replies (5)

RE: lighttpd1.4.66 ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope - Added by leo1 14 days ago

leo1 wrote:

Hello
Based on the latest 1.4.66 version and embedded Linux system, The lighttpd process in my device reported a segmentation fault and did not come up.
The crash information is as follows:
[20220916_16:00:43:922]2018-10-07 15:43[ 122.719985] lighttpd12864: segfault at 4dbfd7dc ip 4dbfd7dc sp 7fe64c6c error 14
[20220916_16:00:43:922]:52: (../../lighttpd-1.4.66/src/mod_openssl.c.2748) ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope
[20220916_16:00:43:922]2018-10-07 15:43:52: (../../lighttpd-1.4.66/src/server.c.1291) Initialization of plugins failed. Going down.
[20220916_16:00:43:922]Segmentation fault (core dumped).

Is there something wrong with my lighttpd configuration?
Thanks.

RE: lighttpd1.4.66 ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope - Added by leo1 14 days ago

Hi
My gdb debug info is as follows:
Core was generated by `lighttpd -tt -f /var/lighttpd.conf'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x4e8c27dc in ?? ()
(gdb) bt
#0 0x4e8c27dc in ?? ()
#1 0x4e601bae in OPENSSL_cleanup () from /usr/lib/libcrypto.so.1.1
#2 0x4e13f093 in ?? ()
#3 0x00000000 in ?? ()

I had a similar segfault in lighttpd 1.4.53 version before, now I upgraded to the latest lighttpd 1.4.66
version and the error still occurs. Is the library version of my openssl wrong? This problem has troubled
me for a long time. Any help from you is greatly appreciated.

RE: lighttpd1.4.66 ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope - Added by gstrauss 13 days ago

[20220916_16:00:43:922]:52: (../../lighttpd-1.4.66/src/mod_openssl.c.2748) ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope
[20220916_16:00:43:922]2018-10-07 15:43:52: (../../lighttpd-1.4.66/src/server.c.1291) Initialization of plugins failed. Going down.

Is there something wrong with my lighttpd configuration?

Yes. See above error message and see the lighttpd documentation.

Configuration: File Syntax

TLS documentation

Has anything changed since #3159 or https://redmine.lighttpd.net/boards/2/topics/10542 ?
You still have failed to read the documentation

RE: lighttpd1.4.66 ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope - Added by gstrauss 13 days ago

Your config is missing ssl.pemfile in some $SERVER["socket"] containing ssl.engine = "enable"
ssl.dh-file is deprecated.

RE: lighttpd1.4.66 ssl.pemfile has to be set in same $SERVER["socket"] scope as other ssl.* directives, unless only ssl.engine is set, inheriting ssl.* from global scope - Added by leo1 10 days ago

Hi gstrauss.Thanks for your help, I have added server.pem.
But the segfault still appears. I suspect that my openssl library version does not match.
My openssl library version is OpenSSL 1.1.1l.Is there any way to confirm it?
Thanks.

    (1-5/5)