Project

General

Profile

Bug #2239

lighttpd 1.4.26 does not support sha256 encoding algorithm for SSL certs

Added by jpc over 9 years ago. Updated over 8 years ago.

Status:
Fixed
Priority:
Normal
Assignee:
-
Category:
core
Target version:
Start date:
2010-07-22
Due date:
% Done:

100%

Estimated time:
Missing in 1.5.x:
No

Description

I use SSL certs that have been generated using sha256 encoding algorithm.

When I connect to my server using wget, the connection fails with:

OpenSSL: error:0B07C065:x509 certificate routines:X509_STORE_add_cert:cert already in hash table
OpenSSL: error:1409441B:SSL routines:SSL3_READ_BYTES:tlsv1 alert decrypt error
Unable to establish SSL connection.

In lighttpd error I see:

2010-07-21 00:29:59: (connections.c.294) SSL: 1 error:0D0C50A1:asn1 encoding routines:ASN1_item_verify:unknown message digest algorithm
2010-07-21 00:29:59: (connections.c.294) SSL: 1 error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned

Looking at lighttpd source, code I added a call to OpenSSL_add_all_algorithms() right after the library init by SSL_library_init() (this is in network.c)

This resolved my problem.

See proposed patch in attachment


Files

ssl-encoding-algorithms.diff (357 Bytes) ssl-encoding-algorithms.diff Proposed patch jpc, 2010-07-22 02:59
#2

Updated by jpc over 9 years ago

Note that the patch has been tested with lighttpd 1.4.26

#3

Updated by jpc over 9 years ago

Also, about the SSL certs: they have been generate using the option -digest sha256 for the openssl req command.

#4

Updated by jpc over 9 years ago

  • Status changed from New to Patch Pending
#5

Updated by stbuehler over 9 years ago

afaik you could compile lighty against libgnutls instead of openssl; would this change anything?
Do we need to check for this "feature"?

(I really hate openssl. can't they just provide one "init-all-we-need" function?...)

#6

Updated by jpc over 9 years ago

The build environment is using openssl not libgnutls and I can not change that unfortunately.

I have not tested gnutls with lighttpd, I don't know if it would work?

#7

Updated by Olaf-van-der-Spek over 9 years ago

Why isn't sha256 enabled by default?
Have you asked openssl to enable this by default?

#8

Updated by jpc over 9 years ago

That is a good question. I did not talk to openssl developers. It's an interesting suggestion as I had to do the same patch on another opensource project which depends on openssl as well.

#9

Updated by stbuehler almost 9 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Applied in changeset r2780.

#10

Updated by stbuehler over 8 years ago

  • Target version changed from 1.4.x to 1.4.29

Also available in: Atom