Project

General

Profile

Actions

Bug #2565

closed

config file options for disabling use of TLS versions

Added by brad@comstyle.com about 7 years ago. Updated about 1 month ago.

Status:
Fixed
Priority:
Normal
Category:
-
Target version:
ASK QUESTIONS IN Forums:
No

Description

lighttpd currently has the options ssl.use-sslv2 and ssl.use-sslv3 to control the use of SSL versions but there are no options to control the use of TLS versions. IMO adding more options in the same manner seems like a poor way of doing things. It would be better to add a new option that can control all current versions of SSL (v2 / v3) and TLS (1 / 1.1 / 1.2) and be future proof for TLS1.3 and so on.

Actions #1

Updated by stbuehler about 7 years ago

  • Status changed from New to Wontfix

tell the openssl guys to support version selection through the cipher string - that is the only way it can be really future proof.

Actions #2

Updated by brad@comstyle.com about 7 years ago

stbuehler wrote:

tell the openssl guys to support version selection through the cipher string - that is the only way it can be really future proof.

Every other web server, SMTP server, proxy and so on has options for controlling this behavior except for lighttpd.

Actions #3

Updated by gstrauss over 4 years ago

FYI: in the not-yet-released openssl 1.1.0: SSL_CONF_cmd https://www.openssl.org/docs/man1.1.0/ssl/SSL_CONF_cmd.html

Actions #4

Updated by gstrauss about 1 month ago

  • Status changed from Wontfix to Fixed
  • Target version set to 1.4.x
  • ASK QUESTIONS IN Forums set to No

lighttpd 1.4.48 (release Nov 2017) provides a new directive to configure openssl: ssl.openssl.ssl-conf-cmd

lighttpd TLS docs

Actions

Also available in: Atom