Bug #2239
closedlighttpd 1.4.26 does not support sha256 encoding algorithm for SSL certs
Description
I use SSL certs that have been generated using sha256 encoding algorithm.
When I connect to my server using wget, the connection fails with:
OpenSSL: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
OpenSSL: error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error
Unable to establish SSL connection.
In lighttpd error I see:
2010-07-21 00:29:59: (connections.c.294) SSL: 1 error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
2010-07-21 00:29:59: (connections.c.294) SSL: 1 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Looking at lighttpd source, code I added a call to OpenSSL_add_all_algorithms() right after the library init by SSL_library_init() (this is in network.c)
This resolved my problem.
See proposed patch in attachment
Files
Updated by jpc over 14 years ago
Updated by jpc over 14 years ago
Note that the patch has been tested with lighttpd 1.4.26
Updated by jpc over 14 years ago
Also, about the SSL certs: they have been generate using the option -digest sha256
for the openssl req
command.
Updated by stbuehler over 14 years ago
afaik you could compile lighty against libgnutls instead of openssl; would this change anything?
Do we need to check for this "feature"?
(I really hate openssl. can't they just provide one "init-all-we-need" function?...)
Updated by jpc over 14 years ago
The build environment is using openssl not libgnutls and I can not change that unfortunately.
I have not tested gnutls with lighttpd, I don't know if it would work?
Updated by Olaf-van-der-Spek over 14 years ago
Why isn't sha256 enabled by default?
Have you asked openssl to enable this by default?
Updated by jpc over 14 years ago
That is a good question. I did not talk to openssl developers. It's an interesting suggestion as I had to do the same patch on another opensource project which depends on openssl as well.
Updated by stbuehler almost 14 years ago
- Status changed from Patch Pending to Fixed
- % Done changed from 0 to 100
Applied in changeset r2780.
Updated by stbuehler over 13 years ago
- Target version changed from 1.4.x to 1.4.29
Also available in: Atom