Project

General

Profile

Forums » Support »

[Solved] Support for OpenSSL 3.x Providers in Lighttpd

Added by Fzypl 5 days ago

Hi :
As OpenSSL continues to evolve, particularly with the introduction of the "Provider" architecture in OpenSSL 3.x, I’m interested in understanding how Lighttpd plans to support this new feature. With OpenSSL 3.x, the traditional engine-based approach to cryptographic modules is being deprecated in favor of this more modular provider model.

Given that the encryption engine could be phased out over time, I would like to ask the following questions:
  1. Does the current version of Lighttpd support OpenSSL 3.x’s Provider architecture? If so, how can it be enabled/configured?
  2. If not, are there plans for future versions of Lighttpd to support OpenSSL 3.x Providers?
  3. Is there any current workaround or alternative approach in Lighttpd to maintain compatibility with the OpenSSL 3.x Provider architecture, even if native support is not yet available?

I would greatly appreciate any insights or guidance on how to proceed with this in Lighttpd, as it’s crucial to ensure compatibility with the latest OpenSSL developments.

Thank you in advance for your help!


Replies (1)

RE: Support for OpenSSL 3.x Providers in Lighttpd - Added by gstrauss 5 days ago

I’m interested in understanding how Lighttpd plans to support this new feature.

OpenSSL 3.0.0 was released Sep 2021, almost 3 1/2 years ago.

It's clear to me that you do not have an understanding of "this new feature", which is neither "new" nor is it a "feature".

https://github.com/openssl/openssl/blob/master/README-PROVIDERS.md
"Providers are containers for algorithm implementations."

Please configure openssl config (often openssl.cnf) how you please, preferably according to recommendations by your company security team and OS provider.

lighttpd mod_openssl works on top of the openssl library.

as it’s crucial to ensure compatibility with the latest OpenSSL developments.

No, it's not crucial. If there is topic you do not understand, please keep your opinions and over-generalizations to yourself; they are worthless.

lighttpd supports multiple TLS providers, which is useful when development stalls or gets side-tracked in one TLS provider, like openssl. One example: GnuTLS has production support for TLS ECH. OpenSSL has been dragging its feet for years adding TLS ECH support, despite being spoon-fed patches developed externally to add TLS ECH support to OpenSSL.

    (1-1/1)