Project

General

Profile

Bug #2837

HTTPS requests timeout when cert not set for socket

Added by billbrasky almost 3 years ago. Updated almost 3 years ago.

Status:
Fixed
Priority:
Normal
Category:
TLS
Target version:
ASK QUESTIONS IN Forums:

Description

No error is given at startup, and lighttpd times out on HTTPS requests with this config:

$SERVER["socket"] == ":443" {
    $HTTP["host"] == "my.host.net" {
        ssl.engine = "enable" 
        ssl.use-sslv2 = "disable" 
        ssl.use-sslv3 = "disable" 
        ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH" 
        ssl.pemfile = "cert.pem" 
        ssl.ca-file = "fullchain.pem" 
    }
}

It does NOT hang when a cert is set at the socket-level:

$SERVER["socket"] == ":443" {
    ssl.engine = "enable" 
    ssl.use-sslv2 = "disable" 
    ssl.use-sslv3 = "disable" 
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES128+EECDH:AES128+EDH" 
    ssl.pemfile = "cert2.pem" 
    ssl.ca-file = "fullchain2.pem" 

    $HTTP["host"] == "my.host.net" {
        ssl.pemfile = "cert.pem" 
        ssl.ca-file = "fullchain.pem" 
    }
}

I would expect an error to be printed at startup if the first configuration is invalid.

#1

Updated by gstrauss almost 3 years ago

Seems like some warnings are in order.

More than a few ssl.* directives makes sense only when configured on the $SERVER["socket"], including ssl.engine = "enable"

#2

Updated by gstrauss almost 3 years ago

  • Status changed from New to Patch Pending
  • Target version changed from 1.4.x to 1.4.48
--- a/src/mod_openssl.c
+++ b/src/mod_openssl.c
@@ -989,6 +989,12 @@ SETDEFAULTS_FUNC(mod_openssl_set_defaults)
                 }
             }
         }
+
+        if (0 != i && s->ssl_enabled && config->comp != COMP_SERVER_SOCKET) {
+            log_error_write(srv, __FILE__, __LINE__, "s",
+                            "ssl.engine valid is only in global scope " 
+                            "or $SERVER[\"socket\"] condition");
+        }
     }

     if (0 != network_init_ssl(srv, p)) return HANDLER_ERROR;
#3

Updated by gstrauss almost 3 years ago

  • Status changed from Patch Pending to Fixed
  • % Done changed from 0 to 100

Also available in: Atom