Lighttpd

Related: https://redmine.lighttpd.net/boards/2/topics/9627

Changes System time of Embedded Product and save it
If restart lightttpd server on Embedded product and refresh Web client page and then error isn't observed

Sounds to me like a proper solution.

Hi gstruss,

Thanks for quick reply

Is there any other way to avoid this error without restarting lighttpd server when time change ?

Do you suggest any lighttpd config/patch that will not cause this error with latest version of lighttpd ?

What update of lighttpd added validation or check and what type of check is there?

Thanks in advance for your valuable support

You seem unaware how invasive it is to change the system time via instant jumps. There is voluminous information on the internet about how to change time gradually, and the dangers of large jumps in time. I rather doubt that lighttpd is the only daemon affected by massive time changes. cron comes to mind.

Let me reframe the question more bluntly: why are you incapable of restarting system services when you trigger a time change?

Why are you so utterly helpless that you have not bothered to enter "time" and "ERR_SSL_PROTOCOL_ERROR" into a search engine?

Please do not comment here further until you spend some of your own time understanding the consequences of your actions to change the system time.

We are observing the same issue in an embedded solution.

But restarting the lighttpd is not always a solution for e.g. if you have ajax calls to allow changing the time of the system (common in the real world), it can happen that even the response to that call is already prevented with "ERR_SSL_PROTOCOL_ERROR".

So I do not think the change which was made starting with 1.4.56 was a good improvement for the real world.
Sure in the Server Farms were the time is fix or only changed once this might not be an issue, but if you have an system which is under control from user changing timezones and date and time.

So suggestion is to restart lighttpd always date/time changes?

ssl.openssl.ssl-conf-cmd += ("Options" => "-SessionTicket")

seems to help here took from src code comment:

/*
 * Note: If session tickets are -not- disabled with
 *     ssl.openssl.ssl-conf-cmd = ("Options" => "-SessionTicket")
 *   mod_openssl rotates server ticket encryption key (STEK) every 8 hours
 *   and keeps the prior two STEKs around, so ticket lifetime is 24 hours.
 *   This is fine for use with a single lighttpd instance, but with multiple
 *   lighttpd workers, no coordinated STEK (server ticket encryption key)
 *   rotation occurs unless ssl.stek-file is defined and maintained (preferred),
 *   or if some external job restarts lighttpd.  Restarting lighttpd generates a
 *   new key that is shared by lighttpd workers for the lifetime of the new key.
 *   If the rotation period expires and lighttpd has not been restarted, and if
 *   ssl.stek-file is not in use, then lighttpd workers will generate new
 *   independent keys, making session tickets less effective for session
 *   resumption, since clients have a lower chance for future connections to
 *   reach the same lighttpd worker.  However, things will still work, and a new
 *   session will be created if session resumption fails.  Admins should plan to
 *   restart lighttpd at least every 8 hours if session tickets are enabled and
 *   multiple lighttpd workers are configured.  Since that is likely disruptive,
 *   if multiple lighttpd workers are configured, ssl.stek-file should be
 *   defined and the file maintained externally.
 */

See #3075 and the duplicate issue you just filed #3080

We are observing the same issue in an embedded solution.

As I posted above, have you bothered to enter "time" and "ERR_SSL_PROTOCOL_ERROR" into a search engine?
If you did, you would have posted a summary of those answers and why you think it does not apply to your situation.