lighttpd-1.4.3x and openssl-1.0.1e
Added by lucbolo over 11 years ago
Hallo,
I'm running lighttpd-1.4.33 on an embedded device, cross-compiled for ARM architecture.
I applied the patch lighttpd-1.4.33_fix_ssl_sni.patch.
I cross-compiled with SSL support, specifically against openssl-1.0.1e suite.
Previously I had lighttpd-1.4.32 and openssl-0.9.8m with HTTPS transactions fully working.
Now, after the upgrade of openssl suite, HTTPS sessions are highly instable, they last few seconds and they end with different errors.
The same problems occurr with lighttpd-1.4.32 amd 1.4.31.
Some error logs, coming from serror.log, follow:
[...]
2013-11-21 11:59:34: (connections.c.305) SSL: 1 error:1409441A:SSL routines:SSL3_READ_BYTES:tlsv1 alert decode error
[...]
2013-11-21 18:03:10: (connections.c.305) SSL: 1 error:1408C06F:SSL routines:SSL3_GET_FINISHED:bad digest length
[...]
2013-11-22 10:46:52: (connections.c.305) SSL: 1 error:140943FC:SSL routines:SSL3_READ_BYTES:sslv3 alert bad record mac
[...]
2013-11-22 10:49:35: (connections.c.305) SSL: 1 error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
[...]
2013-11-21 11:59:48: (connections.c.277) SSL: -1 5 9 Bad file descriptor
[...]
2013-11-21 18:21:33: (connections.c.277) SSL: -1 5 25 Inappropriate ioctl for device
[...]
2013-11-21 18:21:33: (connections.c.277) SSL: -1 5 24 Too many open files
[...]
My self signed pem file was built with the following command:
openssl req -new -x509 -sha256 -keyout lighttpd.pem -out lighttpd.pem -days 365 -nodes
I attached my "lighttpd.pem" for convenience.
My SSL engine section of lighttpd.conf is:
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/certs/lighttpd.pem"
server.errorlog = "/var/log/lighttpd/serror.log"
accesslog.filename = "/var/log/lighttpd/saccess.log"
}
Attached lighttpd.conf and lighttpd-inc.conf (included file with SSL engine section)
Other services such as ssh server (compiled against the same openssl suite) are working.
Have you experienced any weird behaviours testing lighttpd with openssl-1.0.1e?
Can't new openssl release interoperate with lighttpd?
Thank you for your support,
Luca
| lighttpd.pem (1.61 KB) lighttpd.pem | |||
| lighttpd.conf (11.2 KB) lighttpd.conf | |||
| lighttpd-inc.conf (229 Bytes) lighttpd-inc.conf |
Replies (2)
RE: lighttpd-1.4.3x and openssl-1.0.1e - Added by stbuehler over 11 years ago
generic notes:
- don't put fastcgi socket in /tmp; use a directory only lighttpd can write (/run/lighttpd/...) if you want lighttpd to spawn them
- there is only one global error log
There shouldn't be any semantic changes for you with the patch in this example config. Maybe you didn't do a clean recompile + reinstall? As some global data structures where changed the patch breaks the ABI.
RE: lighttpd-1.4.3x and openssl-1.0.1e - Added by lucbolo over 11 years ago
Hallo,
thank you for your reply.
I supposed the patch cannot have any effect, due to my specific simple SSL engine section (no SNI).
About recompilation and installation process, I started from lighttpd tarball explosion and gave the following configure switches:
--without-bzip2 \
--without-ldap \
--without-lua \
--without-memcache \
--with-pcre \
--without-webdav-props \
--without-webdav-locks \
--disable-static \
--with-openssl=<path to openssl-1.0.1e libraries>
Since I'm using opkg package manager in my target board, these are the ipk packages I installed in the target:
lighttpd
lighttpd-module-access
lighttpd-module-accesslog
lighttpd-module-alias
lighttpd-module-dirlisting
lighttpd-module-fastcgi
lighttpd-module-indexfile
lighttpd-module-staticfile
And the shared objects linked to lighttpd executable are:
root@my-target:~# ldd $(which lighttpd)
libpcre.so.0 => /usr/lib/libpcre.so.0 (0x2ac62000)
libdl.so.2 => /lib/libdl.so.2 (0x2ab13000)
libssl.so.1.0.0 => /usr/lib/libssl.so.1.0.0 (0x2ab7d000)
libcrypto.so.1.0.0 => /lib/libcrypto.so.1.0.0 (0x2ac8a000)
libgcc_s.so.1 => /lib/libgcc_s.so.1 (0x2ab20000)
libc.so.6 => /lib/libc.so.6 (0x2ae53000)
/lib/ld-linux.so.3 (0x2ab57000)
Have you any idea of the reason of the SSL problems I'm facing (since my openssl suite upgrade)?
Thanks,
Luca