[Solved] Inquiry about which version of lighttpd began to support TLSv1.3
Hello:
I apologize for the interruption. I have three questions to consult about.
Environment: The lighttpd version is 1.4.35, and the OpenSSL version is 1.0.1e.
Purpose: To have lighttpd support TLSv1.3
Approach:
1) Upgrade the OpenSSL version to 1.1.1w, and find a matching lighttpd version to achieve support for TLSv1.3
Question 1: What is the minimum version of lighttpd that supports OpenSSL 1.1.1w? We can choose a version above this one.
2) Upgrade the OpenSSL version to 1.1.1w, and modify the 1.4.35 source code to adapt to OpenSSL 1.1.1w
Question 2: If the version 1.4.35 does not support OpenSSL 1.1.1w, can TLSv1.3 be configured if the lighttpd compilation issues are resolved on OpenSSL 1.1.1w?
Doubts:
Question 3: Does the support of TLSv1.3 in lighttpd relate to the version of OpenSSL supported by lighttpd? If the supported OpenSSL version supports TLSv1.3, then lighttpd should also be able to support it, right?
3ks
Replies (7)
RE: Inquiry about which version of lighttpd began to support TLSv1.3 - Added by gstrauss 4 months ago
Before posting, did you try building lighttpd 1.4.35 against openssl 1.1.1w and test it? What did you find? If not, why did you not try it before posting?
lighttpd 1.4.35 is ancient. Have you installed security patches which were released in subsequent versions? The current stable release is lighttpd 1.4.76.
Why are you using lighttpd 1.4.35? If you have custom patches or custom modules, I can be hired as a consultant to port the code to lighttpd 1.4.76. In doing so, I can also help isolate the code so that future lighttpd upgrades are easier, or possibly seamless.
Modern lighttpd releases also use less memory and run faster than lighttpd 1.4.35 for the same (and more) features.
RE: Inquiry about which version of lighttpd began to support TLSv1.3 - Added by gstrauss 4 months ago
As noted in lighttpd TLS docs, all versions of openssl before openssl 3.0 are EOL (end-of-life) and not longer receiving public security updates and bug fixes from the OpenSSL Foundation (though premium support might still be available for a price).
If you are using lighttpd in embedded systems, modern lighttpd supports mbedTLS and WolfSSL TLS libraries for smaller systems, as well as lighttpd supporting TLS libraries openssl, gnutls, and nss.
RE: Inquiry about which version of lighttpd began to support TLSv1.3 - Added by LeeYt84 4 months ago
gstrauss wrote in RE: Inquiry about which version of lighttpd began to supp...:
Before posting, did you try building lighttpd 1.4.35 against openssl 1.1.1w and test it? What did you find? If not, why did you not try it before posting?
leeyt84:When compiling 1.4.35 with OpenSSL 1.1.1w, many structures that were previously accessible have been encapsulated into interfaces, and direct access to the internal structures is no longer allowed in the 1.1.1w version compared to the 1.0.1e version we were using. For example, in response.c, https_add_ssl_entries would access the data and length of xe. In the 1.1.1w version, access needs to be made through the interfaces provided.
lighttpd 1.4.35 is ancient. Have you installed security patches which were released in subsequent versions? The current stable release is lighttpd 1.4.76.
Why are you using lighttpd 1.4.35? If you have custom patches or custom modules, I can be hired as a consultant to port the code to lighttpd 1.4.76. In doing so, I can also help isolate the code so that future lighttpd upgrades are easier, or possibly seamless.
Modern lighttpd releases also use less memory and run faster than lighttpd 1.4.35 for the same (and more) features.
leeyt84:The reason for using version 1.4.35 is that the project is quite old, and there has been no need to upgrade lighttpd before. Now, I want to support TLSv1.3 with the minimal changes possible.
Is it possible to adapt version 1.4.35 to work with OpenSSL 1.1.1w to support TLSv1.3?
RE: Inquiry about which version of lighttpd began to support TLSv1.3 - Added by gstrauss 4 months ago
Is it possible to adapt version 1.4.35 to work with OpenSSL 1.1.1w to support TLSv1.3?
https://en.wikipedia.org/wiki/Small_matter_of_programming
Go ahead and do what you like. lighttpd is open source. You clearly have not taken the strong hint that your choices of where to spend your effort are poor and suboptimal.
Later versions of lighttpd did make whatever changes were necessary to use the openssl 1.1.0 and 1.1.1 series. IIRC, this occurred at the latest when I rewrote lighttpd mod_openssl for lighttpd 1.4.56, though parts were likely patched in earlier lighttpd releases, too.
Do you have any idea how ridiculous you look to other knowledgeable programmers when you try to use lighttpd 1.4.35 -- released Mar 2014 when openssl 1.0.1 was the latest openssl release series -- with openssl 1.1.1w -- released Sep 2023? (openssl 1.1.1 series was originally released Sep 2018, over 4 years after lighttpd 1.4.35 was released.) You entirely skipped over openssl 1.0.2 series and openssl 1.1.0 series (where the interfaces changed) and are trying to use openssl 1.1.1 series. All of those openssl series were released after lighttpd 1.4.35 was released.
I wrote above:
lighttpd 1.4.35 is ancient. Have you installed security patches which were released in subsequent versions? The current stable release is lighttpd 1.4.76.
You still have not answered the question why you are unable to upgrade to lighttpd 1.4.76. Did you try using lighttpd 1.4.76?
RE: Inquiry about which version of lighttpd began to support TLSv1.3 - Added by LeeYt84 4 months ago
gstrauss wrote in RE: Inquiry about which version of lighttpd began to supp...:
Is it possible to adapt version 1.4.35 to work with OpenSSL 1.1.1w to support TLSv1.3?
leeyt84:Yes, you are right, this would actually increase the workload.
Go ahead and do what you like. lighttpd is open source. You clearly have not taken the strong hint that your choices of where to spend your effort are poor and suboptimal.
Later versions of lighttpd did make whatever changes were necessary to use the openssl 1.1.0 and 1.1.1 series. IIRC, this occurred at the latest when I rewrote lighttpd mod_openssl for lighttpd 1.4.56, though parts were likely patched in earlier lighttpd releases, too.
Do you have any idea how ridiculous you look to other knowledgeable programmers when you try to use lighttpd 1.4.35 -- released Mar 2014 when openssl 1.0.1 was the latest openssl release series -- with openssl 1.1.1w -- released Sep 2023? (openssl 1.1.1 series was originally released Sep 2018, over 4 years after lighttpd 1.4.35 was released.) You entirely skipped over openssl 1.0.2 series and openssl 1.1.0 series (where the interfaces changed) and are trying to use openssl 1.1.1 series. All of those openssl series were released after lighttpd 1.4.35 was released.
leeyt84:Yes, I think upgrading the lighttpd version is the best approach. I have great respect for your work and I believe we cannot be more familiar with lighttpd than you are. However, the decision-making power is not in my hands; I only have the right to make suggestions. Nevertheless, I must proceed with this matter as required. Thank you very much for your detailed response.
I wrote above:
lighttpd 1.4.35 is ancient. Have you installed security patches which were released in subsequent versions? The current stable release is lighttpd 1.4.76.
You still have not answered the question why you are unable to upgrade to lighttpd 1.4.76. Did you try using lighttpd 1.4.76?
RE: [Solved] Inquiry about which version of lighttpd began to support TLSv1.3 - Added by gstrauss 4 months ago
I can be hired as a consultant to backport the appropriate changes to lighttpd 1.4.35 to work with openssl 1.1.1w. If your boss pays me, your boss can define the deliverables.
However, I still strongly recommend lighttpd 1.4.76 instead.
RE: [Solved] Inquiry about which version of lighttpd began to support TLSv1.3 - Added by LeeYt84 4 months ago
gstrauss wrote in RE: [Solved] Inquiry about which version of lighttpd bega...:
I can be hired as a consultant to backport the appropriate changes to lighttpd 1.4.35 to work with openssl 1.1.1w. If your boss pays me, your boss can define the deliverables.
However, I still strongly recommend lighttpd 1.4.76 instead.
leeyt84:I will strongly recommend using a newer, more secure version. If the boss still decides to use version 1.4.35, I will convey your message. Thank you very much.