Project

General

Profile

[Solved] lighttpd warns about implicit openssl usage when trying to use gnutls

Added by zeault 4 months ago

Hello,

I am using lighttpd version 1.4.73 on Gentoo Linux.

I am still in the process of learning the configuration and developing a config file so I can use lighttpd as a proxy server with gnutls. I will paste my config file here, but I have not finished it yet so it doesn't do anything.

The problem occurred when I ran lighttpd -t -f <config> to check my config file for syntax errors. There appeared to be no errors ,but it gave me the following warning:

Warning: please add "mod_openssl" to server.modules list in lighttpd.conf.  A future release of lighttpd 1.4.x *will not* automatically load mod_openssl and lighttpd *will not* use SSL/TLS where your lighttpd.conf contains ssl.* directives


Replies (9)

RE: lighttpd warns about implicit openssl usage when trying to use gnutls - Added by gstrauss 4 months ago

Historically, mod_openssl was the only TLS option in lighttpd. Since lighttpd 1.4.56, multiple TLS options are available, including mod_gnutls. The warning message you posted above is telling you that you did not specify a TLS module in server.modules in your lighttpd.conf, but that your lighttpd.conf (or includes) contains ssl.* directives.

Many people will receiving that message will understand "add mod_openssl" better than "add a TLS module".

Also, the message is telling you that lighttpd loaded mod_openssl, but that a future version of lighttpd might not automatically load mod_openssl.

RE: lighttpd warns about implicit openssl usage when trying to use gnutls - Added by zeault 4 months ago

I hit ctrl+enter by accident and it submitted my text. I can't figure out how to go back and edit that post. I wasn't finshed typing... sorry

Anyways. I received the warning about using ssl.* directives in my config file even though I have not included mod_openssl. I DID however include mod_gnutls. It is my understanding from reading the documentation that mod_gnutls implements the same ssl directives as mod_openssl. It would seem that all the ssl modules are interchangeable apart from having limited support for the ssl-conf-cmd directive. Is that not the case?

This looks like a false warning to me but I just wanted to ask in case it wasn't. If necessary, I can switch to using mod_openssl instead of gnutls. The only reason I picked gnutls in the first place was because I thought the documentation was a bit better.

I will paste my config file in the next message. Thank you.

RE: lighttpd warns about implicit openssl usage when trying to use gnutls - Added by zeault 4 months ago

# lighttpd.conf

# {{{ variables
var.basedir  = "/var/www/empty" 
var.statedir = "/var/lib/lighttpd" 
# }}}

# {{{ modules
# At the very least, mod_access and mod_accesslog should be enabled.
# All other modules should only be loaded if necessary.
# NOTE: the order of modules is important.
server.modules = (
#    "mod_rewrite",
    "mod_redirect",
    "mod_alias",
    "mod_access",
#    "mod_magnet",
    "mod_auth",
#    "mod_status",
#    "mod_setenv",
    "mod_proxy",
#    "mod_simple_vhost",
#    "mod_evhost",
#    "mod_userdir",
#    "mod_deflate",
#    "mod_ssi",
#    "mod_usertrack",
#    "mod_expire",
#    "mod_secdownload",
#    "mod_rrdtool",
#    "mod_webdav",
    "mod_accesslog" 
    "mod_gnutls" 
)
# }}}

# {{{ includes
include "include/mime-types.conf" 
# fcgi and cgi are included below
# }}}

# {{{ server settings
server.username      = "lighttpd" 
server.groupname     = "lighttpd" 

server.pid-file      = "/run/lighttpd/lighttpd.pid" 

server.document-root = var.basedir

# use syslog
accesslog.use-syslog = "enable" 
server.errorlog-use-syslog = "enable" 

# Enable debug logging
debug.log-request-handling = "enable" 

# event handler (defaults to "poll")
# see performance.txt
# for >= linux-2.6
server.event-handler = "linux-sysepoll" 

# Enable IPv6 because why not
server.use-ipv6 = "enable" 

# redirect all http requests to https
$HTTP["scheme"] == "http" {
    url.redirect = ("" => "https://${url.authority}${url.path}${qsa}")
    url.redirect-code = 308
}

# Enable gnutls 
$SERVER["socket"] == ":443" {
    ssl.engine = "enable" 
    ssl.pemfile = ".pem" 
    ssl.privkey = ".pem" 

}

RE: lighttpd warns about implicit openssl usage when trying to use gnutls - Added by gstrauss 4 months ago

Anyways. I received the warning about using ssl.* directives in my config file even though I have not included mod_openssl. I DID however include mod_gnutls. It is my understanding from reading the documentation that mod_gnutls implements the same ssl directives as mod_openssl. It would seem that all the ssl modules are interchangeable apart from having limited support for the ssl-conf-cmd directive. Is that not the case?

Your understanding is correct.

It looks like you are missing a comma after "mod_accesslog". Did you not get a warning from lighttpd when you tested the config?

#    "mod_webdav",
    "mod_accesslog" 
    "mod_gnutls" 
)

Test your config: lighttpd -f /etc/lighttpd/lighttpd.conf -tt

RE: lighttpd warns about implicit openssl usage when trying to use gnutls - Added by gstrauss 4 months ago

You ought to use full, absolute paths to those files.

    ssl.pemfile = ".pem" 
    ssl.privkey = ".pem" 

Also, best practices are to omit config directives that are identical to lighttpd defaults.


# event handler (defaults to "poll")
# see performance.txt
# for >= linux-2.6
server.event-handler = "linux-sysepoll" 

# Enable IPv6 because why not
server.use-ipv6 = "enable" 

lighttpd has not defaulted to poll for many years (when more advanced options are available from the OS, such as epoll on Linux). Whoever wrote that has not updated that file in a very long time.

RE: lighttpd warns about implicit openssl usage when trying to use gnutls - Added by gstrauss 4 months ago

I'll see if I can get the config parser to warn about the missing ',' in your server.modules list, as that is your issue. The warning about mod_openssl is not issued when the list is properly formated and includes mod_gnutls.

RE: [Solved] lighttpd warns about implicit openssl usage when trying to use gnutls - Added by zeault 4 months ago

Thank you for the rapid feedback!

I did not realize the comma was missing. The only warning I received was about mod_openssl and the pem files which I had not yet installed. I just installed my certificates and added the comma. My config file is now validating successfully.

Also I will see if the default config file distributed with the Gentoo package ought to be updated.

RE: [Solved] lighttpd warns about implicit openssl usage when trying to use gnutls - Added by gstrauss 4 months ago

Ugh! Looks like there is a bug in the upstream LEMON parser which showed up in lighttpd 1.4.69 when I updated the ancient version in lighttpd to the maintained version from SQLite. (lighttpd source code commit f9d60e3e)

RE: [Solved] lighttpd warns about implicit openssl usage when trying to use gnutls - Added by gstrauss 4 months ago

I've added a patch for the next version of lighttpd which will detect this and error. Strings may be concatenated with '+', or should be separated by ',' or '=>' in lists in the lighttpd config.

    (1-9/9)