Project

General

Profile

[UE] Getting ERR_SSL_PROTOCOL_ERROR in lighttpd version 1.4.59

Added by narayan.thakkar 5 months ago

Hi Team,

We are using lighttpd Web server in Embedded product.
Following scenario shows ERR_SSL_PROTOCOL_ERROR on Web Client( Chrome Browser)
  • First login the Embedded Product and that works fine
  • Changes System time of Embedded Product and save it
  • Observe SSL_ERROR on Web Client
  • If restart lightttpd server on Embedded product and refresh Web client page and then error isn't observed

We have updated to 1.4.59 from 1.4.55. Previously with 1.4.55 version we were not observing above error on WebClient for above scenario's.

Here are some more info:
open ssl version: 1.1.1h

Please find attachment of error snapshot and wireshark log for server ip address: ip.addr == 172.25.5.50

Please provide input to avoid this error while changing time in server.

Thanks in advance,
Narayan


Replies (6)

RE: Getting ERR_SSL_PROTOCOL_ERROR in lighttpd version 1.4.59 - Added by gstrauss 5 months ago

Related: https://redmine.lighttpd.net/boards/2/topics/9627

Changes System time of Embedded Product and save it
If restart lightttpd server on Embedded product and refresh Web client page and then error isn't observed

Sounds to me like a proper solution.

RE: Getting ERR_SSL_PROTOCOL_ERROR in lighttpd version 1.4.59 - Added by narayan.thakkar 5 months ago

Hi gstruss,

Thanks for quick reply

Is there any other way to avoid this error without restarting lighttpd server when time change ?

Do you suggest any lighttpd config/patch that will not cause this error with latest version of lighttpd ?

What update of lighttpd added validation or check and what type of check is there?

Thanks in advance for your valuable support

RE: Getting ERR_SSL_PROTOCOL_ERROR in lighttpd version 1.4.59 - Added by gstrauss 5 months ago

You seem unaware how invasive it is to change the system time via instant jumps. There is voluminous information on the internet about how to change time gradually, and the dangers of large jumps in time. I rather doubt that lighttpd is the only daemon affected by massive time changes. cron comes to mind.

Let me reframe the question more bluntly: why are you incapable of restarting system services when you trigger a time change?

Why are you so utterly helpless that you have not bothered to enter "time" and "ERR_SSL_PROTOCOL_ERROR" into a search engine?

Please do not comment here further until you spend some of your own time understanding the consequences of your actions to change the system time.

RE: [UE] Getting ERR_SSL_PROTOCOL_ERROR in lighttpd version 1.4.59 - Added by Anonymous 3 months ago

We are observing the same issue in an embedded solution.

But restarting the lighttpd is not always a solution for e.g. if you have ajax calls to allow changing the time of the system (common in the real world), it can happen that even the response to that call is already prevented with "ERR_SSL_PROTOCOL_ERROR".

So I do not think the change which was made starting with 1.4.56 was a good improvement for the real world.
Sure in the Server Farms were the time is fix or only changed once this might not be an issue, but if you have an system which is under control from user changing timezones and date and time.

So suggestion is to restart lighttpd always date/time changes?

RE: [UE] Getting ERR_SSL_PROTOCOL_ERROR in lighttpd version 1.4.59 - Added by Anonymous 3 months ago

ssl.openssl.ssl-conf-cmd += ("Options" => "-SessionTicket")

seems to help here took from src code comment:

/*
 * Note: If session tickets are -not- disabled with
 *     ssl.openssl.ssl-conf-cmd = ("Options" => "-SessionTicket")
 *   mod_openssl rotates server ticket encryption key (STEK) every 8 hours
 *   and keeps the prior two STEKs around, so ticket lifetime is 24 hours.
 *   This is fine for use with a single lighttpd instance, but with multiple
 *   lighttpd workers, no coordinated STEK (server ticket encryption key)
 *   rotation occurs unless ssl.stek-file is defined and maintained (preferred),
 *   or if some external job restarts lighttpd.  Restarting lighttpd generates a
 *   new key that is shared by lighttpd workers for the lifetime of the new key.
 *   If the rotation period expires and lighttpd has not been restarted, and if
 *   ssl.stek-file is not in use, then lighttpd workers will generate new
 *   independent keys, making session tickets less effective for session
 *   resumption, since clients have a lower chance for future connections to
 *   reach the same lighttpd worker.  However, things will still work, and a new
 *   session will be created if session resumption fails.  Admins should plan to
 *   restart lighttpd at least every 8 hours if session tickets are enabled and
 *   multiple lighttpd workers are configured.  Since that is likely disruptive,
 *   if multiple lighttpd workers are configured, ssl.stek-file should be
 *   defined and the file maintained externally.
 */

RE: [UE] Getting ERR_SSL_PROTOCOL_ERROR in lighttpd version 1.4.59 - Added by gstrauss 3 months ago

See #3075 and the duplicate issue you just filed #3080

We are observing the same issue in an embedded solution.

As I posted above, have you bothered to enter "time" and "ERR_SSL_PROTOCOL_ERROR" into a search engine?
If you did, you would have posted a summary of those answers and why you think it does not apply to your situation.

    (1-6/6)