Bug #2239


lighttpd 1.4.26 does not support sha256 encoding algorithm for SSL certs

Added by jpc over 13 years ago. Updated almost 13 years ago.

Target version:


I use SSL certs that have been generated using sha256 encoding algorithm.

When I connect to my server using wget, the connection fails with:

OpenSSL: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
OpenSSL: error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error
Unable to establish SSL connection.

In lighttpd error I see:

2010-07-21 00:29:59: (connections.c.294) SSL: 1 error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
2010-07-21 00:29:59: (connections.c.294) SSL: 1 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

Looking at lighttpd source, code I added a call to OpenSSL_add_all_algorithms() right after the library init by SSL_library_init() (this is in network.c)

This resolved my problem.

See proposed patch in attachment


ssl-encoding-algorithms.diff (357 Bytes) ssl-encoding-algorithms.diff Proposed patch jpc, 2010-07-22 02:59
Actions #2

Updated by jpc over 13 years ago

Note that the patch has been tested with lighttpd 1.4.26

Actions #3

Updated by jpc over 13 years ago

Also, about the SSL certs: they have been generate using the option -digest sha256 for the openssl req command.

Actions #4

Updated by jpc over 13 years ago

  • Status changed from New to Patch Pending
Actions #5

Updated by stbuehler over 13 years ago

afaik you could compile lighty against libgnutls instead of openssl; would this change anything?
Do we need to check for this "feature"?

(I really hate openssl. can't they just provide one "init-all-we-need" function?...)

Actions #6

Updated by jpc over 13 years ago

The build environment is using openssl not libgnutls and I can not change that unfortunately.

I have not tested gnutls with lighttpd, I don't know if it would work?

Actions #7

Updated by Olaf-van-der-Spek over 13 years ago

Why isn't sha256 enabled by default?
Have you asked openssl to enable this by default?

Actions #8

Updated by jpc over 13 years ago

That is a good question. I did not talk to openssl developers. It's an interesting suggestion as I had to do the same patch on another opensource project which depends on openssl as well.

Actions #9

Updated by stbuehler about 13 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2780.

Actions #10

Updated by stbuehler almost 13 years ago

  • Target version changed from 1.4.x to 1.4.29

Also available in: Atom