[Solved] TLS 1.2 or 1.1 in lighttpd 1.4.29
Added by westBlaine almost 4 years ago
I am running lighttpd 1.4.29. This is an out of date version, but I am working in QNX 6.5 SP1 and this is the latest binary version I was able to track down.
I am very new to lighttpd and I am far from an expert on web servers or TLS generally.
Currently I am able to get lighttpd to work to a point. I can see my page servered up on cgi. However, as soon as I limit Win 10 to TLS 1.1 or greater, lighttpd will not respond.
I have read https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL and seen the ssl.openssl.ssl-conf-cmd option note for "MinProtocol" => "TLSv1.2", but that same note states that this is only supported since 1.4.48
Here is my lighttpd.conf (with commented out sections replace with ... to keep is more readable):
// lighttpd.conf
...
var.server_root = "/usr/www"
var.state_dir = "/var/run"
var.home_dir = "/var/lib/lighttpd"
#var.conf_dir = "/etc/lighttpd"
hosts_dir = server_root + "/vhosts"
## Load the modules.
include "modules.conf"
## Basic Configuration
## ---------------------
##
server.port = 443
##
## Document root
##
server.document-root = server_root + "/pages"
##
## store a pid file
##
server.pid-file = state_dir + "/lighttpd.pid"
include "conf.d/access_log.conf"
##
## The debug options are moved into their own file.
## see conf.d/debug.conf for various options for request debugging.
##
include "conf.d/debug.conf"
## By default lighttpd would not change the operation system default.
## But setting it to 2048 is a better default for busy servers.
##
server.max-fds = 2048
##
## Stat() call caching.
##
## lighttpd can utilize FAM/Gamin to cache stat call.
##
## possible values are:
## disable, simple or fam.
##
server.stat-cache-engine = "simple"
##
## Fine tuning for the request handling
##
## max-connections == max-fds/2 (maybe /3)
## means the other file handles are used for fastcgi/files
##
server.max-connections = 1024
...
## files to check for if .../ is requested
## index-file.names = ( "index.php", "index.rb", "index.html",
## "index.htm", "default.htm" )
##
index-file.names += (
"index.xhtml", "index.html", "index.htm", "default.htm", "index.php"
)
##
## deny access the file-extensions
##
## ~ is for backupfiles from vi, emacs, joe, ...
## .inc is often used for code includes which should in general not be part
## of the document-root
url.access-deny = ( "~", ".inc" )
##
## disable range requests for pdf files
## workaround for a bug in the Acrobat Reader plugin.
##
$HTTP["url"] =~ "\.pdf$" {
server.range-requests = "disable"
}
...
##
## which extensions should not be handle via static-file transfer
##
## .php, .pl, .fcgi are most often handled by mod_fastcgi or mod_cgi
##
static-file.exclude-extensions = ( ".php", ".pl", ".fcgi", ".scgi" )
...
##
## directory listing configuration
##
include "conf.d/dirlisting.conf"
##
## Should lighttpd follow symlinks?
##
##
server.follow-symlink = "enable"
##
## force all filenames to be lowercase?
##
#server.force-lowercase-filenames = "disable"
##
## defaults to /var/tmp as we assume it is a local harddisk
##
server.upload-dirs = ( "/var/tmp" )
#######################################################################
##
## SSL Support
## -------------
##
## To enable SSL for the whole server you have to provide a valid
## certificate and have to enable the SSL engine.::
##
## BLAINE
ssl.engine = "enable"
ssl.pemfile = "/root/ca/private/lighttpd.pem"
## ssl.pemfile = "/path/to/server.pem"
##
## The HTTPS protocol does not allow you to use name-based virtual
## hosting with SSL. If you want to run multiple SSL servers with
## one lighttpd instance you must use IP-based virtual hosting: ::
##
## $SERVER["socket"] == "10.0.0.1:443" {
## ssl.engine = "enable"
## ssl.pemfile = "/etc/ssl/private/www.example.com.pem"
## server.name = "www.example.com"
##
## server.document-root = "/srv/www/vhosts/example.com/www/"
## }
##
## If you have a .crt and a .key file, cat them together into a
## single PEM file:
## $ cat /etc/ssl/private/lighttpd.key /etc/ssl/certs/lighttpd.crt \
## > /etc/ssl/private/lighttpd.pem
##
#ssl.pemfile = "/etc/ssl/private/lighttpd.pem"
##
## optionally pass the CA certificate here.
##
##
#ssl.ca-file = ""
// END lighttpd.conf
I would be grateful for any guidance in this. And if anyone knows of a more recent binary for QNX 6.5 SP 1, that would be very appreciated as well.
Thanks,
BlaineReplies (6)
RE: TLS 1.2 or 1.1 in lighttpd 1.4.29 - Added by gstrauss almost 4 years ago
I would be grateful for any guidance in this. And if anyone knows of a more recent binary for QNX 6.5 SP 1, that would be very appreciated as well.
You seem to have some idea how ridiculous your request is, but I'll rephrase it for others who might find the post
Hi, I am running software from 2011 (lighttpd 1.4.29 was released 13 Jun 2011)
Why won't it work with modern security software when my software is ancient?
More technically: lighttpd uses the openssl library for TLS. You should upgrade openssl on QNX and should keep your devices off the internet until you do so as there are known insecurities in ancient versions of openssl.
RE: TLS 1.2 or 1.1 in lighttpd 1.4.29 - Added by gstrauss almost 4 years ago
http://www.qnx.com/developers/docs/6.4.1/neutrino/utilities/o/openssl.html
Description:
OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) network protocols and related cryptography standards that they require.
"Hi. I am running ancient openssl software that supports TLS v1. Why doesn't it support TLSv1.1?"
RE: TLS 1.2 or 1.1 in lighttpd 1.4.29 - Added by westBlaine almost 4 years ago
Thank you for the quick response.
This is a project in development stages in a lab setting and our devices are NOT on the internet. They are on secure OS intranet networks only.
2011 is certainly old, but so is TLS 1.1 (April 2006) and TLS 1.2 (August 2008). I did not ask about TLS 1.3 nor did I ask if what I am working with is current as I know it isn't.
Thank you for your guidance on openssl. I have generated a self-signed cert/key pair with a current version of openssl to see if that would help, but it did not. It is possible that the problem lies with how I generated it as well.
It looks like prior to 1.4.46 openssl is part of the core of lighttpd and not in a standalone module. If the answer is simply that 1.4.29 does not support newer than TLS 1.0, I will proceed with that information.
Thanks again,
Blaine
RE: TLS 1.2 or 1.1 in lighttpd 1.4.29 - Added by gstrauss almost 4 years ago
More technically: lighttpd uses the openssl library for TLS.
I do not know how I could be clearer. The limitation is in the openssl library that you have installed, not in lighttpd. lighttpd links against openssl. It doesn't matter if that is the lighttpd executable or mod_openssl.so, and I don't know whether or not lighttpd is built statically for QNX. It doesn't matter. The answer is still the same: your ancient software, specifically ancient openssl.
The latest QNX is QNX 7.0.
Regarding lighttpd, there are published security issues that have been fixed since lighttpd 1.4.29. You should run the latest lighttpd (currently lighttpd 1.4.55) on systems exposed to the internet or potentially malicious actors.
In general, it is a best practice to keep up to date on patches and releases for most software.
RE: TLS 1.2 or 1.1 in lighttpd 1.4.29 - Added by westBlaine almost 4 years ago
I know best practices. Your key here is "most software". I asked a very specific question about a very specific situation involving a very specific set of tools, as "ancient" as they may be.
I was working on the assumption that the binary is built statically, but I can't confirm that with the tool set I have while working remotely. I didn't build it. Either way, the libraries are out of date as you say. Thank you for the clarification.
I will explore other options. Thank you again.
RE: TLS 1.2 or 1.1 in lighttpd 1.4.29 - Added by gstrauss almost 4 years ago
In your initial post above, you wrote:
I have read https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
I think you overlooked the section Stay Secure on that page, which documents that all versions of openssl prior to openssl 1.1.1 are end-of-life.
Yet you continued to ask questions here instead of directing your questions for your "very specific set of tools" to your commercial vendor.
I asked a very specific question about a very specific situation involving a very specific set of tools, as "ancient" as they may be.
Please direct all of your future questions to your commerical vendor.