Project

General

Profile

[Solved] lighttpd-1.4.52 TLS 1.3 SSL_CTX_set_cipher_list:no cipher match

Added by tomakey about 5 years ago

OS:Raspian variant (Xbian) / Debian Stretch (armv7l-stretch)
$ uname -a
Linux xbian 4.9.56+ #1 SMP PREEMPT Fri Oct 13 18:32:55 CEST 2017 armv7l GNU/Linux

$ openssl version
OpenSSL 1.1.1a 20 Nov 2018

$ lighttpd -v
lighttpd/1.4.52 (ssl) - a light and fast webserver

Config line in question:
ssl.cipher-list = "TLS-CHACHA20-POLY1305-SHA256:TLS-AES-256-GCM-SHA384:TLS-AES-128-GCM-SHA256"

Specifically, TLS 1.3 ciphers provided in conf are throwing:
[....] Starting web server: lighttpd2019-01-26 00:20:42: (mod_openssl.c.785) SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match
2019-01-26 00:20:42: (server.c.1176) Initialization of plugins failed. Going down.

$ openssl ciphers
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:.. etc. etc.

No further debug logs possible since process terminated prematurely. These debug controls only applies after successful startup:
debug.log-request-handling = "enable"
debug.log-ssl-noise = "enable"

Same openssl+lighttpd+TLS13 only conf works on Ubuntu 1804 without issues. Any ideas?


Replies (1)

RE: lighttpd-1.4.52 TLS 1.3 SSL_CTX_set_cipher_list:no cipher match - Added by gstrauss about 5 years ago

Same openssl+lighttpd+TLS13 only conf works on Ubuntu 1804 without issues. Any ideas?

It's likely user error. Debian Stretch ships with lighttpd 1.4.45 and, if I am not mistaken, an earlier version of openssl. It is likely that you have not built your lighttpd 1.4.52 with openssl 1.1.1a or that when you run your build of lighttpd, it is not finding your version of openssl 1.1.1a. ldd on your build of lighttpd might show this.

That cipher list works fine on Fedora 29 with openssl 1.1.1a and lighttpd 1.4.53 (to be released soon)

    (1-1/1)