Bug #2525
closedssl.cipher-list not inherited into SNI
Description
When defining an ssl.cipher-list, it works for the 'default' HTTPS setup ($SERVER["socket"] 443 block), but when you utilize SNI ($HTTP["host"] blocks within the $SERVER["socket"] block) the ssl.cipher-list seems to not inherit into the host blocks and instead will default to include all of the available openssl ciphers (except SSL v2/v3 based if those are disabled).
Attempting to move ssl.cipher-list to inside of each host block unfortunately causes the individual SNI ssl.pemfile to stop being used and causes lighttpd to use whatever the default ssl.pemfile configured is (if one is set, otherwise it will fail to start lighttpd with a "ssl.pemfile has to be set" error).
Tested and confirmed to be an issue in at least 1.4.33 and 1.4.32
Updated by nate about 11 years ago
*inherited (shoulda known better than to make a post when I just wake up...)
Updated by stbuehler about 11 years ago
- Subject changed from ssl.cipher-list not inhereted into SNI to ssl.cipher-list not inherited into SNI
Updated by stbuehler about 11 years ago
Setting ssl.cipher-list in the same blocks as ssl.pemfile worked for me. If this breaks SNI for you please open another bug with details (minimal config that reproduces the problem, openssl s_client log).
You always need a default ssl.pemfile, as not every client supports SNI.
Updated by stbuehler about 11 years ago
- Status changed from New to Fixed
- % Done changed from 0 to 100
Applied in changeset r2913.
Also available in: Atom